May 2026 Patch Tuesday: no zero-days but plenty to fix

This month’s Patch Tuesday remedies 137 security vulnerabilities, including 31 marked critical by Microsoft, with no zero-days actively exploited in the wild.

Microsoft defines a zero-day as “a flaw in software for which no official patch or security update is available yet.” This month, Microsoft has not observed any included vulnerability being exploited in production environments.

Still, this release is far from low-risk. A large chunk of the critical bugs allow remote code execution (RCE) across Windows services, Office, Azure, SharePoint, and graphics components. That means attackers who trick a user into opening a malicious document or lure them into connecting to a malicious service could gain full control of a system.

Two vulnerabilities to prioritize

From that list, we selected two that look like they could cause some trouble.

May 2026 Patch Tuesday: no zero-days but plenty to fix

Other newsrooms on this story

Related reading

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

For May, Patch Tuesday means 139 updates — but no zero-days

It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight

Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Mystery Microsoft bug leaker keeps the zero-days coming