Microsoft Patch Tuesday Analysis – May 2026

Executive Summary

On Tuesday, May 12, 2026, Microsoft released its monthly security patch, addressing 137 vulnerabilities across its products.

By severity level:

• Important - 103;
• Critical - 30;
• Moderate - 3;
• Low - 1.

General Trends

The May 2026 Patch Tuesday brought the IT community 137 fixes. Although the overall volume has slightly decreased compared to the record-breaking April (165), the composition of this update makes it one of the most dangerous this year. The main anomaly of the month is the unprecedented number of "Critical" vulnerabilities. Key trends for May include:

• Anomalous spike in critical vulnerabilities: A colossal number of critical-level vulnerabilities were patched this month — 30 (for comparison: there were 8 in April, and 0 in March). This indicates the discovery of an entire layer of fundamental architectural flaws in Microsoft products.
• Absence of Zero-Days: Officially, there are no actively exploited or publicly disclosed vulnerabilities in the May release (at the time of publication). However, the presence of dozens of vulnerabilities with a CVSS score above 9.0 guarantees that threat actors have already begun reverse-engineering the patches to create exploits.
• Threats to core infrastructure (CVSS 9.8 - 10.0): The most critical components of corporate networks are under attack. Remote Code Execution (RCE) vulnerabilities have been patched in Windows Netlogon (CVE-2026-41089) and Windows DNS Client (CVE-2026-41096). Flaws in these components traditionally pave the way for self-propagating worms and instant domain controller takeovers. Additionally, an exceptionally rare vulnerability with a maximum score of CVSS 10.0 was identified in Azure DevOps, threatening a total compromise of software supply chains (Supply Chain Attacks).
• Massive attack on SharePoint and Office: The large-scale code cleanup in collaboration applications continues. SharePoint servers received another massive batch of RCE fixes (over 6 critical and important CVEs). Simultaneously, a giant cluster of RCE vulnerabilities in desktop clients (Microsoft Word, Excel, and Office) was closed (over 15 CVEs), confirming the attackers' relentless focus on phishing campaigns using malicious documents.
• Vulnerabilities in cloud Data services: Significant attention has been given to data security in the cloud. Critical fixes (CVSS 9.9) affected Azure Managed Instance for Apache Cassandra, Azure Logic Apps, and Dynamics 365.

Full List of Vulnerabilities

Below is a table of all the vulnerabilities patched this month.

Retrospective Vulnerability Analysis

• CVE-2026-21250 — Windows HTTP.sys Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability is caused by an Untrusted Pointer Dereference in the http.sys kernel system driver. An attacker can send a specially crafted HTTP packet containing a binary payload in the headers (e.g., in X-Trigger-Ptr), which, if improperly handled by the driver, allows local privilege escalation to the SYSTEM level. To successfully exploit and bypass protection mechanisms (ASLR), techniques like Heap Spraying and Keep-Alive connection state manipulation can be used. A PoC for this vulnerability has been published on GitHub. The vulnerability was patched in February 2026.

• CVE-2026-23671 — Windows Bluetooth RFCOMM Protocol Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the Bluetooth RFCOMM protocol driver caused by incorrect synchronization when accessing shared resources (race condition). This leads to a Use-After-Free error, allowing an authenticated local attacker to execute arbitrary code in kernel mode. Successful exploitation allows for privilege escalation to the SYSTEM level; however, the attack is characterized by high complexity, as it requires precise timing to "win" the race condition. A PoC for this vulnerability has been published on GitHub. Patched in March 2026.

• CVE-2026-24294 — Windows SMB Server Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability allows a local user to escalate their privileges to the SYSTEM level using the NTLM-reflection mechanism and a new feature for SMB connections over arbitrary TCP ports introduced in Windows Server 2025 and Windows 11 24H2. The attack involves forcing a privileged service (LSASS) to authenticate to an attacker-controlled SMB server via a non-standard port, thereby bypassing classic Local NTLM Reflection protections and relaying the acquired token to the genuine SMB service (port 445). The published PoC demonstrates exploitation using modified PetitPotam and Impacket tools. The vulnerability was patched in March 2026.

• CVE-2026-26128 — Windows SMB Server Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability allows an authenticated local attacker to escalate their privileges to the SYSTEM level via a Kerberos Reflection attack. Exploitation is possible due to a Unicode character normalization bypass during Service Principal Name (SPN) resolution: due to differences in string processing functions within the DNS cache service and on the domain controller, an attacker can register a spoofed DNS record and redirect authentication traffic to their own host. A PoC is available on GitHub, allowing attacks against AD CS and MSSQL services. The vulnerability was patched in March 2026.

• CVE-2026-26168 — Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Elevation of Privilege). A Race Condition vulnerability in the afd.sys kernel driver, arising from incorrect synchronization of access to connection objects. In the AfdAddConnectedReference function, the spinlock is released before the object's reference counter increment is completed, creating a vulnerability window for a Use-After-Free scenario. A local attacker, even one with low privileges in an AppContainer, can exploit this flaw to escalate their rights to the SYSTEM level. The published PoC in Python demonstrates the attack mechanism via concurrent calls to connect() and closesocket(), leading to kernel memory pool corruption and a system crash. The vulnerability was patched in April 2026.

• CVE-2026-33101 — Windows Print Spooler Elevation of Privilege Vulnerability (Elevation of Privilege). A Use-After-Free (UAF) vulnerability in the OpenPrinterExW function, occurring when processing the _SPLCLIENT_CONTAINER (Level 2) structure. Due to a logical error, if the RouterOpenPrinter function fails, the container's memory is freed, yet the system unconditionally writes the handle to the freed memory slot. This allows a local attacker to gain SYSTEM-level rights through heap manipulations of the spoolsv.exe process. According to the technical analysis and the available PoC, Windows 11 24H2 systems prior to build 26100.8246 are affected. The vulnerability was patched in April 2026.

• CVE-2026-32202 — Windows Shell Spoofing Vulnerability (Spoofing). The vulnerability involves a protection mechanism failure (CWE-693) when processing the _IDCONTROLW structure within the IDList chain in shortcut files (.LNK). Researchers from Akamai reverse-engineered the logic of shell32.dll and presented a PoC that allows injecting a UNC path into the ModulePath field of a Control Panel object. When File Explorer (explorer.exe) attempts to render the icon of such a shortcut, an automatic request is made to the remote SMB share, leading to the disclosure of the user's NTLM hash. The vulnerability is closely tied to CVE-2026-21510 and was patched in April 2026.

Conclusion

The May 2026 update is a classic example of a situation where the absence of currently exploited zero-days should not create a false sense of security. The presence of 30 critical vulnerabilities, including flaws in Netlogon, DNS, and Azure DevOps with maximum CVSS ratings, makes this a highly stressful month for administrators.

Update prioritization for May:

1. Tier 0 Infrastructure: The absolute priority is installing updates on Domain Controllers (to patch RCE in Netlogon) and DNS servers/clients. Exploitation of these vulnerabilities will lead to the instant collapse of the entire corporate network.
2. Cloud Development Platforms: Infrastructure owners of Azure DevOps must urgently ensure patches are applied (CVE-2026-42826, CVSS 10.0), as data exfiltration from development environments can compromise all of the company's source codes and tokens.
3. Collaboration Servers: SharePoint Server remains a favorite target for ransomware. The presence of such a high number of RCEs requires immediate updating of web farms exposed to internal and external networks.
4. User Endpoints: The Microsoft Office suite update must be deployed to workstations as quickly as possible to prevent attackers from infiltrating via malicious documents sent via email.

Important addition: Pay special attention to the "Retrospective Vulnerability Analysis" section. In May, a massive leak of working PoC exploits occurred on GitHub for vulnerabilities patched in February, March, and April (SMB Server, AFD.sys, Print Spooler, HTTP.sys). This means that if your organization is behind on its update schedule by even a month, you are in the crosshairs of automated hacking tools accessible even to low-skilled attackers. Eliminating technical patch debt is now of critical importance.