Microsoft has unveiled its monthly security update for May 2026, addressing a total of 137 vulnerabilities across various products. Among these, 31 have been classified as “critical,” although Microsoft has reported that none are currently being exploited in active attacks.
Critical Vulnerabilities Overview
Of the critical vulnerabilities identified, 16 pertain to remote code execution (RCE) issues within Microsoft Windows services and applications. These include notable products such as Microsoft Office, Microsoft Word, and Azure, among others. The vulnerabilities span several components, including:
- Windows Native WiFi Miniport Driver
- Microsoft Dynamics 365
- Windows GDI
- Microsoft SharePoint
- Windows DNS Client
Specific vulnerabilities of concern include:
- CVE-2026-32161: A critical use-after-free vulnerability that could allow an unauthorized attacker to execute code over an adjacent network through improper synchronization in the Windows Native WiFi Miniport Driver.
- CVE-2026-40358: A critical use-after-free vulnerability in Microsoft Office, enabling unauthorized local code execution.
- CVE-2026-41089: A stack-based buffer overflow in Windows Netlogon, which could permit an unauthorized attacker to execute code over a network without prior access.
Other vulnerabilities include critical heap-based buffer overflows in Microsoft Office and Windows components, which may require users to interact with specially crafted files or applications to trigger the exploit.
Additional Important Vulnerabilities
In addition to the critical vulnerabilities, Microsoft has flagged several important vulnerabilities that are deemed more likely to be exploited:
- CVE-2026-33835: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2026-33837: Windows TCP/IP Local Elevation of Privilege Vulnerability
- CVE-2026-35416: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
A comprehensive list of all vulnerabilities disclosed this month can be accessed on Microsoft’s update page.
Response and Mitigation Strategies
In light of these vulnerabilities, Talos is rolling out a new Snort ruleset designed to detect attempts to exploit several of the identified issues. Users of Cisco Security Firewalls are advised to update their ruleset to the latest version. Additionally, open-source Snort Subscriber Ruleset customers can acquire the most recent rule pack via Snort.org.
Included in this release are Snort 2 rules that provide protection against many of the vulnerabilities, along with Snort 3 rules that are also available for users seeking to bolster their defenses.
