ZERO DAY INITIATIVE - BLOG
The May 2026 Security Update Review
MEDIUM patch-tuesday adobe-commerce microsoft-edge elevation-of-privilege
Strategic summary
Microsoft and Adobe released their May 2026 security updates. Microsoft addresses 138 vulnerabilities, 30 of which are critical, including severe DNS and Netlogon flaws allowing remote code execution. Adobe fixes 52 CVEs in products such as Commerce and Connect. No active attacks are known, but immediate patching is advised.
Key findings
- Microsoft patches 138 vulnerabilities, including a critical DNS client flaw (CVE-2026-41096) enabling unauthenticated remote code execution via malicious DNS responses.
- The Netlogon vulnerability (CVE-2026-41089, CVSS 9.8) allows a wormable attack on domain controllers without authentication or user interaction.
- In Dynamics 365 On-Premises (CVE-2026-42898, CVSS 9.9), an authenticated user can inject code and break out to affect other components.
- Adobe fixes 52 CVEs, prioritizing Commerce (15 bugs) and Connect (two CVSS 9-rated issues).
- None of the Microsoft vulnerabilities are currently under active attack or publicly known, but immediate patching is critical due to severity.
Relevance for you
Patch Tuesday roundup covering Adobe and Microsoft products (Commerce, Connect, Edge, Visual Studio) used in manufacturing and office environments; no active exploitation reported; informational value for vulnerability tracking.
Mentioned CVEs
- CVE-2026-41096
- CVE-2026-41089
- CVE-2026-42898
- CVE-2026-40415
- CVE-2026-35435
- CVE-2026-35428
- CVE-2026-42826
- CVE-2026-32207
- CVE-2026-33109
- CVE-2026-33844
- CVE-2026-41105
- CVE-2026-33111
- CVE-2026-26129
- CVE-2026-26164
- CVE-2026-33821
- CVE-2026-40379
- CVE-2026-40363
- CVE-2026-40358
- CVE-2026-34327
- CVE-2026-40365
- CVE-2026-41103
- CVE-2026-33823
- CVE-2026-40364
- CVE-2026-40366
- CVE-2026-40361
- CVE-2026-40367
- CVE-2026-42831
- CVE-2026-35421
- CVE-2026-40403
- CVE-2026-40402
- CVE-2026-32161
- CVE-2026-32175
- CVE-2026-32177
- CVE-2026-35433
- CVE-2025-54518
- CVE-2026-42899
- CVE-2026-40381
- CVE-2026-42823
- CVE-2026-33833
- CVE-2026-32204
- CVE-2026-42830
- CVE-2026-33117
- CVE-2026-41109
- CVE-2026-35424
- CVE-2026-41614
- CVE-2026-41100
- CVE-2026-40377
- CVE-2026-41094
- CVE-2026-40417
- CVE-2026-42833
- CVE-2026-42838
- CVE-2026-40360
- CVE-2026-40359
- CVE-2026-40362
- CVE-2026-42832
- CVE-2026-34329
- CVE-2026-40419
- CVE-2026-40418
- CVE-2026-35436
- CVE-2026-40420
- CVE-2026-42893
- CVE-2026-40374
- CVE-2026-41102
- CVE-2026-35439
- CVE-2026-40368
- CVE-2026-33110
- CVE-2026-33112
- CVE-2026-40357
- CVE-2026-32185
- CVE-2026-41101
- CVE-2026-35440
- CVE-2026-40421
- CVE-2026-41097
- CVE-2026-40370
- CVE-2026-41613
- CVE-2026-41612
- CVE-2026-41611
- CVE-2026-41610
- CVE-2026-33839
- CVE-2026-33840
- CVE-2026-34330
- CVE-2026-34331
- CVE-2026-35423
- CVE-2026-35438
- CVE-2026-41086
- CVE-2026-34344
- CVE-2026-34345
- CVE-2026-35416
- CVE-2026-41088
- CVE-2026-34343
- CVE-2026-35418
- CVE-2026-33835
- CVE-2026-34337
- CVE-2026-40407
- CVE-2026-40397
- CVE-2026-42896
- CVE-2026-35419
- CVE-2026-34336
- CVE-2026-33834
- CVE-2026-32209
- CVE-2026-33841
- CVE-2026-35420
- CVE-2026-40369
- CVE-2026-34332
- CVE-2026-34339
- CVE-2026-34341
- CVE-2026-33838
- CVE-2026-34342
- CVE-2026-41095
- CVE-2026-34340
- CVE-2026-40398
- CVE-2026-21530
- CVE-2026-32170
- CVE-2026-40410
- CVE-2026-35415
- CVE-2026-34350
- CVE-2026-40405
- CVE-2026-40414
- CVE-2026-40401
- CVE-2026-40413
- CVE-2026-35422
- CVE-2026-34351
- CVE-2026-40399
- CVE-2026-34334
- CVE-2026-40406
- CVE-2026-33837
- CVE-2026-42825
- CVE-2026-34338
- CVE-2026-40382
- CVE-2026-40380
- CVE-2026-40408
- CVE-2026-34333
- CVE-2026-34347
- CVE-2026-35417
- CVE-2026-42891
- CVE-2026-35429
- CVE-2026-41107
- CVE-2026-40416
Risk score
Review required 61
- cvss base
- 98.00
- kev bonus
- 0.00
- epss bonus
- 10.00
- poc bonus
- 15.00
- raw before weight
- 123.00
- industry weight
- 1.21
- freshness factor
- 0.50
- exploitability factor
- 1.00
- days old
- 57.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -13.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
CVSS_LOW_RISKHigh CVSS despite low-risk wording −8 -
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −13.0
- Total penalty:
- −13.0
MITRE ATT&CK mapping
5 TTPs Recon
Resource Dev
Execution
T1059 Command and Scripting Interpreter Persistence
Priv. Escal.
T1068 Exploitation for Privilege Escalation Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
T1530 Data from Cloud Storage C2
Exfiltration
Impact
Procedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1190 Exploit Public-Facing Application | Initial Access | CVE-2026-41089 describes a CVSS 9.8 stack-based buffer overflow in Windows Netlogon allowing an unauthenticated remote attacker to execute code on a domain controller by sending a specially crafted network request with no credentials or user interaction required. | high | llm |
| T1068 Exploitation for Privilege Escalation | Privilege Escalation | The majority of Microsoft's May 2026 patches address Elevation of Privilege bugs across Windows components, Azure, Edge, and Visual Studio, allowing local attackers to execute code at SYSTEM-level or administrative privileges, with some enabling sandbox escapes. | high | llm |
| T1059 Command and Scripting Interpreter | Execution | Multiple Adobe vulnerabilities described as 'open-and-own code executions' in products such as After Effects, Illustrator, Media Encoder, Premiere Pro, and Substance 3D allow arbitrary code execution when a user opens a malicious file. | medium | llm |
| T1189 Drive-by Compromise | Initial Access | Adobe Connect CVEs rated CVSS 9 and cross-site scripting (XSS) vulnerabilities across multiple Adobe products could be leveraged to execute malicious scripts in a victim's browser without requiring explicit file download. | medium | llm |
| T1530 Data from Cloud Storage | Collection | Azure elevation of privilege bugs patched this month allow an attacker to access data otherwise hidden from them within Azure cloud environments. | medium | llm |