Microsoft's May Patch Tuesday update resolved 137 vulnerabilities across its product portfolio, with 13 deemed critical. Notably, none of these vulnerabilities were being actively exploited as zero-days at the time of the update. The critical vulnerabilities included CVE-2026-33109 and CVE-2026-42823, which affected Azure, as well as CVE-2026-42898 in Microsoft Dynamics 365, each with a 9.9 CVSS score1. The absence of actively exploited zero-days may reduce the immediate urgency for some patches, but the high CVSS scores indicate a significant potential impact if exploited. Microsoft's disclosure of these vulnerabilities highlights the ongoing need for diligent patch management. The fact that CVE-2026-33109 is under discussion regarding its exploitation status means its priority may change, making it essential for practitioners to monitor the situation closely. This update matters to security practitioners because it underscores the importance of staying current with patches, especially for critical vulnerabilities with high CVSS scores.
Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical
⚠️ Critical Alert
Why This Matters
CVE-2026-33109 is in active discussion involving Microsoft — exploitation status determines whether this is patch-now or monitor.
References
- CyberScoop. (2026, May 12). Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical. CyberScoop. https://cyberscoop.com/microsoft-patch-tuesday-may-2026/
Original Source
CyberScoop
Read original →