⚡ TL;DR | Go Straight to the May 2026 Patch Tuesday Audit Report
Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The May 2026 edition of Patch Tuesday brings us 121 fixes, with 16 rated as critical. We’ve listed the most important changes below.
Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
CVE-2026-41103 is the standout vulnerability of the month, a Critical Elevation of Privilege bug in Microsoft’s SSO plug-in for Atlassian Jira and Confluence with a CVSS score of 9.1. Unlike most EoP vulnerabilities this month, this one is network-exploitable, requires no privileges, and needs no user interaction, which is why Microsoft has flagged it as “Exploitation More Likely”.
A successful exploit gives an unauthenticated attacker access to a Jira or Confluence environment at an elevated privilege level. Considering how much sensitive product, customer, and engineering data tends to sit in Atlassian tenants, this is exactly the kind of plug-in flaw that ends up on a red team’s target list quickly. If you use Microsoft’s SSO plug-in to broker access into Jira or Confluence, this one should be at the top of your queue.
Microsoft Word Remote Code Execution Vulnerabilities
Microsoft Word receives four Critical Remote Code Execution patches this month: CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367. All four share the same CVSS 8.4 profile, all four are local-vector Critical RCEs that need no privileges and no user interaction beyond opening a crafted document, and two of them (CVE-2026-40361 and CVE-2026-40364) are rated “Exploitation More Likely”.
The attack pattern is the familiar one. An attacker delivers a malicious Word document by phishing email, file share, or web download, and as soon as the document is opened the attacker gets code execution in the user’s context. Office RCEs remain a top initial-access vector for ransomware operators and APT crews alike, and four of them landing in the same product on the same day is a strong reminder to keep Office on the express patching lane. If your environment is large enough that Office gets its own deployment ring, this month is a good one to shorten that ring.
Win32k Elevation of Privilege Vulnerabilities
The kernel’s graphical subsystem gives us two patches that Microsoft has flagged as “Exploitation More Likely”: CVE-2026-33840 and CVE-2026-35417. Both are local Elevation of Privilege bugs in Win32k with a CVSS score of 7.8, both require only Low privileges, and both allow a successful attacker to obtain SYSTEM on the local machine.
Run the Patch Tuesday May 2026 Audit
To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.
The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!
Patch Tuesday May 2026 CVE Codes & Titles
| CVE | Title |
| CVE-2025-54518 | AMD: CVE-2025-54518 CPU OP Cache Corruption |
| CVE-2026-21530 | Windows Rich Text Edit Elevation of Privilege Vulnerability |
| CVE-2026-32161 | Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability |
| CVE-2026-32170 | Windows Rich Text Edit Elevation of Privilege Vulnerability |
| CVE-2026-32175 | .NET Core Tampering Vulnerability |
| CVE-2026-32177 | .NET Elevation of Privilege Vulnerability |
| CVE-2026-32185 | Microsoft Teams Spoofing Vulnerability |
| CVE-2026-32204 | Azure Monitor Agent Elevation of Privilege Vulnerability |
| CVE-2026-32209 | Windows Filtering Platform (WFP) Security Feature Bypass Vulnerability |
| CVE-2026-33110 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-33112 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-33117 | Azure SDK for Java Security Feature Bypass Vulnerability |
| CVE-2026-33833 | Azure Machine Learning Notebook Spoofing Vulnerability |
| CVE-2026-33834 | Windows Event Logging Service Elevation of Privilege Vulnerability |
| CVE-2026-33835 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-33837 | Windows TCP/IP Local Elevation of Privilege Vulnerability |
| CVE-2026-33838 | Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| CVE-2026-33839 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-33840 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-33841 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-34329 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability |
| CVE-2026-34330 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-34331 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-34332 | Windows Kernel-Mode Driver Remote Code Execution Vulnerability |
| CVE-2026-34333 | Windows Win32k Elevation of Privilege Vulnerability |
| CVE-2026-34334 | Windows TCP/IP Elevation of Privilege Vulnerability |
| CVE-2026-34336 | Windows DWM Core Library Information Disclosure Vulnerability |
| CVE-2026-34337 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-34338 | Windows Telephony Service Elevation of Privilege Vulnerability |
| CVE-2026-34339 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability |
| CVE-2026-34340 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-34341 | Windows Link-Layer Discovery Protocol (LLDP) Elevation of Privilege Vulnerability |
| CVE-2026-34342 | Windows Print Spooler Elevation of Privilege Vulnerability |
| CVE-2026-34343 | Windows Application Identity (AppID) Subsystem Elevation of Privilege Vulnerability |
| CVE-2026-34344 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-34345 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-34347 | Windows Win32k Elevation of Privilege Vulnerability |
| CVE-2026-34350 | Windows Storport Miniport Driver Denial of Service Vulnerability |
| CVE-2026-34351 | Windows TCP/IP Elevation of Privilege Vulnerability |
| CVE-2026-35415 | Windows Storage Spaces Controller Elevation of Privilege Vulnerability |
| CVE-2026-35416 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-35417 | Windows Win32k Elevation of Privilege Vulnerability |
| CVE-2026-35418 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-35419 | Windows DWM Core Library Information Disclosure Vulnerability |
| CVE-2026-35420 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-35421 | Windows GDI Remote Code Execution Vulnerability |
| CVE-2026-35422 | Windows TCP/IP Driver Security Feature Bypass Vulnerability |
| CVE-2026-35423 | Windows 11 Telnet Client Information Disclosure Vulnerability |
| CVE-2026-35424 | Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability |
| CVE-2026-35433 | .NET Elevation of Privilege Vulnerability |
| CVE-2026-35436 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| CVE-2026-35438 | Windows Admin Center Elevation of Privilege Vulnerability |
| CVE-2026-35439 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-35440 | Microsoft Word Information Disclosure Vulnerability |
| CVE-2026-40357 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-40358 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-40359 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-40360 | Microsoft Excel Information Disclosure Vulnerability |
| CVE-2026-40361 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-40362 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-40363 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-40364 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-40365 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-40366 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-40367 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-40368 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-40369 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-40370 | SQL Server Remote Code Execution Vulnerability |
| CVE-2026-40374 | Microsoft Power Automate Desktop Information Disclosure Vulnerability |
| CVE-2026-40377 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability |
| CVE-2026-40380 | Windows Volume Manager Extension Driver Remote Code Execution Vulnerability |
| CVE-2026-40381 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| CVE-2026-40382 | Windows Telephony Service Elevation of Privilege Vulnerability |
| CVE-2026-40397 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2026-40398 | Windows Remote Desktop Services Elevation of Privilege Vulnerability |
| CVE-2026-40399 | Windows TCP/IP Elevation of Privilege Vulnerability |
| CVE-2026-40401 | Windows TCP/IP Denial of Service Vulnerability |
| CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability |
| CVE-2026-40403 | Windows Graphics Component Remote Code Execution Vulnerability |
| CVE-2026-40405 | Windows TCP/IP Denial of Service Vulnerability |
| CVE-2026-40406 | Windows TCP/IP Information Disclosure Vulnerability |
| CVE-2026-40407 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2026-40408 | Windows WAN ARP Driver Elevation of Privilege Vulnerability |
| CVE-2026-40410 | Windows SMB Client Elevation of Privilege Vulnerability |
| CVE-2026-40413 | Windows TCP/IP Denial of Service Vulnerability |
| CVE-2026-40414 | Windows TCP/IP Denial of Service Vulnerability |
| CVE-2026-40415 | Windows TCP/IP Remote Code Execution Vulnerability |
| CVE-2026-40417 | Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability |
| CVE-2026-40418 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| CVE-2026-40419 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| CVE-2026-40420 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| CVE-2026-40421 | Microsoft Word Information Disclosure Vulnerability |
| CVE-2026-41086 | Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability |
| CVE-2026-41088 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability |
| CVE-2026-41094 | Microsoft Data Formulator Remote Code Execution Vulnerability |
| CVE-2026-41095 | Data Deduplication Elevation of Privilege Vulnerability |
| CVE-2026-41096 | Windows DNS Client Remote Code Execution Vulnerability |
| CVE-2026-41097 | Secure Boot Security Feature Bypass Vulnerability |
| CVE-2026-41100 | Microsoft 365 Copilot for Android Spoofing Vulnerability |
| CVE-2026-41101 | Microsoft Word for Android Spoofing Vulnerability |
| CVE-2026-41102 | Microsoft PowerPoint for Android Spoofing Vulnerability |
| CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability |
| CVE-2026-41109 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability |
| CVE-2026-41610 | Visual Studio Code Security Feature Bypass Vulnerability |
| CVE-2026-41611 | Visual Studio Code Remote Code Execution Vulnerability |
| CVE-2026-41612 | Visual Studio Code Information Disclosure Vulnerability |
| CVE-2026-41613 | Visual Studio Code Elevation of Privilege Vulnerability |
| CVE-2026-41614 | M365 Copilot for Desktop Spoofing Vulnerability |
| CVE-2026-42823 | Azure Logic Apps Elevation of Privilege Vulnerability |
| CVE-2026-42825 | Windows Telephony Service Elevation of Privilege Vulnerability |
| CVE-2026-42830 | Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability |
| CVE-2026-42831 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-42832 | Microsoft Office Spoofing Vulnerability |
| CVE-2026-42833 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
| CVE-2026-42893 | Microsoft Outlook for iOS Tampering Vulnerability |
| CVE-2026-42896 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2026-42898 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
| CVE-2026-42899 | ASP.NET Core Denial of Service Vulnerability |
| CVE-2026-43353 | i3c: mipi-i3c-hci: Fix race in DMA ring dequeue |
| CVE-2026-43500 | rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present |