May 2026 Patch Tuesday: no zero-days but plenty to fix

Microsoft's Patch Tuesday fixes 137 vulnerabilities—including 31 critical flaws—addressing remote code execution and other high-risk issues across Windows, Office, Azure, SharePoint, and graphics components; the report highlights CVE-2026-40361 (Word use-after-free, CVSS 8.4) and CVE-2026-35421 (GDI EMF heap overflow, CVSS 7.8), describes exploitation vectors (malicious documents/EMF files), provides step-by-step update instructions, and states Microsoft has not observed active exploitation in production.