During May's patch Tuesday, Microsoft fixed 120 security vulnerabilities. Among them are several critical flaws in Word and Copilot.
Microsoft released security updates addressing 120 new security vulnerabilities. In addition to Windows and Office, Microsoft's cloud services are affected. To date, none of these vulnerabilities are known to be actively exploited in attacks. Microsoft classifies a full 30 of these flaws as critical, while the remainder are all designated as high-risk.
Microsoft provides only sparse details regarding these vulnerabilities, leaving users to search for the information themselves within the Security Update Guide.
Edgeupdate fixes 100 browser vulnerabilities
The latest security update for Edge 148.0.3967.54 has been released on May 7 and is based on Chromium 148.0.7778.97. It resolves 127 Chromium vulnerabilities, which are not included in the total vulnerability count mentioned above. The update alsoo closes three Edge-specific vulnerabilities as well as two vulnerabilities in Edge for Android.
Office vulnerabilities
Microsoft has patched 27 vulnerabilities across its Office product family, nearly twice as many as in April. Among these are 15 RCE (Remote Code Execution) vulnerabilities, eight of which are classified as critical. For these specific vulnerabilities, the Preview Pane itself serves as an attack vector; a user does not need to open a specially crafted file in Office to enable a successful attack. Microsoft also designates a data leak in its Team Events Portal (CVE-2026-33823) as critical, a vulnerability the vendor has already patched. Additionally, two data leaks in M365 Copilot (CVE-2026-26129, -26164) are considered critical.
Vulnerabilities in Windows
A significant portion of the vulnerabilities, 66 in this instance, are distributed across the various Windows versions (10, 11, Server) for which Microsoft still provides security updates. Windows 10 continues to be listed as an affected system in the usual manner, even though official support expired in October 2025.
Critical Windows Vulnerabilities
Five of the vulnerabilities in Windows that Microsoft is patching this month are classified as critical Remote Code Execution (RCE) flaws. CVE-2026-41096 in the DNS Client is particularly problematic, as this component runs on practically every Windows machine. To exploit this vulnerability, a malicious response to a DNS request is sufficient. An attacker, for instance, one who controls a DNS server, can execute arbitrary code on any machine. Accordingly, the CVSS score is 9.8; the same applies to CVE-2026-41089 in Windows Netlogon. In this case, an attacker can execute code on a domain controller without authentication by sending specially crafted network requests.