Microsoft Patch Day: 120 Security Vulnerabilities Closed

On May 12, 2026, Microsoft released security updates as part of its monthly Patch Day, addressing a total of 120 new security vulnerabilities. These updates affect not only Windows and Office but also the company's cloud services. So far, none of the vulnerabilities have been actively exploited, underscoring the urgency of the updates. Of the 120 vulnerabilities, Microsoft classifies 30 as critical, while the remainder are classified as high risk.

Details regarding the vulnerabilities can be found in the security update guide, which, however, provides sparse information. Dustin Childs from Trend Micro ZDI highlights that the high number of closed gaps may be related to the upcoming hacker competition Pwn2own in Berlin on May 14. Among the critical vulnerabilities, several significant flaws in Windows have been identified. The security vulnerability CVE-2026-41096 in the Windows DNS Client allows for Remote Code Execution (RCE) and has a rating of 9.8 on the CVSS scale.

Another critical flaw, CVE-2026-41089, affects Windows Netlogon and also has a rating of 9.8. Additionally, vulnerabilities in Windows Hyper-V (CVE-2026-40402) and in the graphics component (CVE-2026-40403) are classified as critical. Both vulnerabilities allow for RCE and have not yet been exploited. Microsoft has also addressed 27 vulnerabilities in its Office products, including 15 RCE vulnerabilities, of which eight are considered critical. The critical Office vulnerabilities particularly affect the preview pane, meaning users do not even need to open the file to be attacked.

Another critical issue concerns the Team Events Portal with ID CVE-2026-33823, which has already been fixed. Two critical data leaks in M365 Copilot (CVE-2026-26129 and CVE-2026-26164) have also been closed. A significant portion of the vulnerabilities, totaling 66, affects various versions of Windows, including Windows 10 and 11. Despite the end of support for Windows 10 in October 2025, the system continues to be listed as affected. This contrasts with Windows 7, whose support under the ESU program (Extended Security Updates) has ended.

The security update for the Edge browser (version 148.0.3967.54), released on May 7, addresses 127 Chromium vulnerabilities that are not included in the total of 120 vulnerabilities. Additionally, the update closes three Edge-specific vulnerabilities as well as two vulnerabilities in the Android version of Edge. Microsoft has made the updates available for all affected systems and recommends installing them promptly to ensure user security.

The vulnerabilities have increasingly been discovered in recent months, highlighting the need for regular updates. The next opportunity to assess the security landscape will be at the hacker competition Pwn2own in Berlin on May 14, 2026. The vulnerability CVE-2026-41096 has a CVSS rating of 9.8 and allows for Remote Code Execution in the Windows DNS Client.