← CIO Briefings Β· High Impact ACTION REQUIRED

Microsoft May 2026 Patch Tuesday: 120 Vulnerabilities Including Wormable Network RCE Require Urgent Action

Microsoft's May 2026 update cycle addresses 120 security vulnerabilities, 17 rated Critical, including a wormable Remote Code Execution flaw in the Windows DNS Client that requires no user interaction. This release affects every Windows version in enterprise service. Security and IT leadership should authorise emergency patching of network-facing systems within 24 hours.

4 min read
#NIS2#DORA

What Happened

Microsoft released its May 2026 monthly security update, addressing 120 vulnerabilities across the entire Windows ecosystem β€” including Windows 10, Windows 11, Windows Server 2019 through 2025, SharePoint Server, and Microsoft Office. Of the 120 fixes, 17 are rated Critical and 14 are Remote Code Execution (RCE) vulnerabilities. Three vulnerabilities warrant particular executive attention:

  • CVE-2026-41096 (Windows DNS Client RCE): A flaw in how Windows processes DNS β€” the standard naming service used by all computers to find servers and websites β€” that allows an attacker controlling a DNS server to compromise any Windows machine performing normal network activity. No user action beyond standard computer use is required.
  • CVE-2026-40365 (SharePoint Server RCE): A vulnerability in Microsoft SharePoint β€” the collaboration platform used by most large organisations β€” that allows an attacker with a standard employee account to execute malicious code on SharePoint infrastructure.
  • CVE-2026-35421 (Windows GDI RCE): A flaw exploitable via malicious documents or images delivered by email, affecting any employee who previews or opens externally sourced files.

None of these vulnerabilities are currently under confirmed active exploitation. Historical patterns show that criminal groups typically weaponise critical Windows flaws within 48–72 hours of Microsoft’s monthly releases.

Business Impact

The Windows DNS Client vulnerability (CVE-2026-41096) has characteristics that security professionals term β€œwormable” β€” capable of spreading across networks without human interaction. An attacker who can manipulate DNS responses on a network segment could compromise large numbers of systems without any employee action. In practical terms, a single compromised network appliance or ISP-level DNS manipulation could cascade to widespread server compromise within hours if systems are not patched.

SharePoint Server, used for internal collaboration and document management, stores significant volumes of sensitive business content. Successful exploitation of CVE-2026-40365 could give attackers access to all content stored on SharePoint β€” contracts, HR records, financial data, and board materials β€” and position them for broader network access using SharePoint’s service account.

The May release also coincides with Critical patches from SAP, Fortinet, and AMD, creating a multi-vendor patching sprint for IT and security operations teams.

Regulatory Implications

For organisations operating under NIS2 (Article 21 security measures) and DORA (ICT risk management requirements), failure to patch critical vulnerabilities within reasonable timeframes can constitute a breach of mandatory security obligations. If a network-level exploitation event occurs through an unpatched CVE-2026-41096 on network infrastructure, NIS2 requires early warning notification within 24 hours and a full incident report within 72 hours. DORA Article 19 imposes similar obligations on financial entities. Documenting the patching timeline and completion provides evidence of due diligence.

Board-Ready Summary

  • A standard monthly Windows update contains 120 security fixes, including a flaw that can spread across corporate networks without any employee doing anything wrong.
  • Delaying patching of server infrastructure beyond this week means operating with known, publicly disclosed vulnerabilities that criminal groups typically begin exploiting within three days.
  • Authorise IT operations to deploy patches to servers and network infrastructure this week, accepting any required maintenance windows as the lower-risk option.
  1. Immediate (0–24 hours): Authorise emergency maintenance windows for patch deployment to all Windows Server instances, DNS infrastructure, and internet-facing systems. This overrides standard change control cycles β€” the risk calculus favours action.
  2. Short-term (this week): Extend patching to all employee workstations via automated deployment (Intune or SCCM/ConfigMgr). Prioritise machines used by employees with access to SharePoint or who regularly handle external email attachments.
  3. SharePoint specifically: Apply the May 2026 SharePoint Cumulative Update to all on-premises SharePoint Server farms and verify the build version via Central Administration. Identify any SharePoint instances accessible from partner networks or extranet zones.
  4. Regulatory documentation: Record the patching commencement date, affected systems, and completion timeline for NIS2/DORA compliance records. If critical systems cannot be patched within 72 hours, document compensating controls.
  5. Ongoing: Review patch compliance dashboards at week-end to identify systems that did not receive the update. Confirm that automatic updates are enabled for all managed devices and that no systems have been manually excluded from update policies.