Microsoft May 2026 Patch Tuesday: 31 critical, Snort rules

On May 12, Microsoft published its May 2026 security update covering 137 vulnerabilities across Windows, Office, Azure and other products. Microsoft reported that 31 of the flaws are rated critical and that it has not observed active exploitation of the disclosed issues in the wild.

Sixteen of the 31 critical vulnerabilities are remote code execution (RCE) issues. Affected components include Microsoft Office and Word, the Windows Native WiFi Miniport Driver, Azure Managed Instance for Apache Cassandra, Windows GDI, Office for Android, Microsoft Dynamics 365 (on-premises), SharePoint, Windows Win32K GRFX, Windows Netlogon and the Windows DNS Client. Microsoft posted the full list of patched products and technical details on its update page.

Notable critical flaws include CVE-2026-32161, a race condition in the Windows Native WiFi Miniport Driver that could allow an attacker on an adjacent network to execute code; CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that can be triggered by a crafted request to a domain controller and may allow code execution without signing in; and CVE-2026-41096, a heap-based overflow in the Windows DNS Client that could be triggered by a specially crafted DNS response. CVE-2026-35421 is a heap-based buffer overflow in Windows GDI that can be exploited when a user opens a malicious Enhanced Metafile (EMF) file in Microsoft Paint.

Microsoft also disclosed multiple Office and Word vulnerabilities, including use-after-free and heap overflow flaws (CVE-2026-40358, CVE-2026-40361, CVE-2026-40363, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367) that could allow local code execution if a user opens a crafted document. CVE-2026-42831 is a heap overflow in Office for Android that requires a user to open a malicious Office file. CVE-2026-40365 affects SharePoint and could allow an authenticated attacker with at least Site Owner privileges to write and execute code on a SharePoint server. CVE-2026-42898 is a code injection flaw in Dynamics 365 (on-premises) that can be triggered by modifying a saved session state. CVE-2026-40403 in Win32K GRFX is a heap overflow that could enable an attacker to escape a contained execution environment; Microsoft noted a Remote Desktop scenario where a compromised server could cause code execution on connecting clients.

Cisco Talos released new Snort rules to help detect exploitation attempts for many of the disclosed vulnerabilities. The Snort 2 rule ranges in this release include 1:66438-1:66445, 1:66451-1:66460 and 1:66470-1:66476. Snort 3 rules include 1:301494-1:301497, 1:301500-1:301506, 1:66472-1:66473 and 1:66476. Cisco Security Firewall customers should update their Security Rule Updates (SRU) to receive protections. Snort Subscriber Ruleset customers can obtain the latest rule pack from Snort.org. Talos indicated that additional rules may be released and that current rules could change as more information becomes available.

Microsoft and Cisco Talos recommend that organizations apply the provided patches promptly and, where applicable, update intrusion detection rule sets to help identify attempted exploitation.