Microsoft's May 2026 Patch Tuesday addressed 137 security vulnerabilities, including 31 critical flaws, though no zero-day exploits were found in active use. The company defines a zero-day as a software flaw with no official patch yet available. No observed vulnerabilities in this release were being exploited in production environments.

Despite the lack of active zero-days, this month's updates carry significant risk. Many critical bugs allow remote code execution across Windows services, Office, Azure, SharePoint, and graphics components. Attackers could gain full system control if a user opens a malicious document or connects to a compromised service.

Two vulnerabilities demand immediate attention. CVE-2026-40361, rated 8.4 out of 10 on the CVSS scale, describes a critical use-after-free vulnerability in Microsoft Word. This flaw could allow local code execution on an affected system. A use-after-free error occurs when a program fails to clear a pointer to freed memory. An attacker could then manipulate the program. If a user opens a malicious Word document, or even previews it, an attacker could execute arbitrary code with the user's current privileges. This often suffices to install malware, steal credentials, or move through a network.

Another critical flaw is CVE-2026-35421, with a CVSS score of 7.8 out of 10. This is a heap-based buffer overflow in the Windows Graphics Device Interface (GDI). A buffer overflow happens when memory writes beyond its allocated boundary into an adjacent region. Microsoft notes that a user must open or process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint to exploit this vulnerability. This action triggers the affected graphics functionality in the Windows component.

Users can apply these fixes through the Windows Update settings. Open the Start menu, then Settings, and select Windows Update. Click "Check for updates." If updates are found, they will download automatically. Users should install them and restart their computer when prompted to complete the process. After restarting, return to Windows Update to confirm the system is up to date.