May 2026 Patch Tuesday: 138 CVEs Including Critical Zero-Click Outlook Flaw CVE-2026-40361

Microsoft’s May 2026 Patch Tuesday addresses 138 vulnerabilities — 30 rated Critical, 61 privilege-escalation bugs — including DNS and Netlogon remote-code-execution flaws. The standout item is CVE-2026-40361, a critical zero-click Outlook vulnerability researchers compare to the 2015 “BadWinmail” bug, once dubbed an “enterprise killer” for firing without user interaction. None of the 138 CVEs are listed as publicly known or actively exploited at time of release. High-priority patching targets: Outlook (CVE-2026-40361), Windows DNS server, and Netlogon. Apply the May cumulative update across all Windows and Office surfaces as soon as testing allows.