RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: office (1 article)Clear
vulnerability
CVE-2026-40361CVE-2026-40364CVE-2026-41096CVE-2026-41089CVE-2026-41103CVE-2026-40402CVE-2026-35421
2026-05-13

Microsoft's May 2026 Patch Tuesday fixes 120 flaws and no zero-days for the first time since June 2024 - but a Word preview-pane bug and DNS Client RCE stand out as the priorities

Microsoft fixed 120 vulnerabilities on Tuesday - 17 Critical, no zero-days for the first time since June 2024. Two Word RCEs (CVE-2026-40361 and CVE-2026-40364) trigger just by viewing a malicious document in Outlook's Preview Pane and are rated 'Exploitation More Likely.' Windows DNS Client (CVE-2026-41096) lets an attacker-controlled DNS server execute code on any Windows machine resolving a hostile name - echoing SigRed. Other priorities: Netlogon RCE (CVE-2026-41089) and Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103, CVSS 9.1).

microsoftpatch-tuesdaywindowsofficeworddns-clientnetlogonpreview-panehyper-vno-zero-days
Check
Check Windows patch status for the May 2026 cumulative update. Confirm whether Outlook's Word Preview Pane is enabled - that's the exposure path for CVE-2026-40361 and 40364.
Affected
Unpatched Windows clients and servers. Priority targets: Outlook/Word (Preview Pane RCEs CVE-2026-40361/40364), domain controllers (Netlogon CVE-2026-41089), DNS-facing servers (CVE-2026-41096).
Fix
Deploy May 2026 cumulative updates fleet-wide. Prioritize DCs (Netlogon), DNS servers, and Outlook hosts. Disable Word Preview Pane as a compensating control until patched.