Microsoft Patches 78 Vulnerabilities Including Three Actively Exploited Zero-Days

Microsoft has released its May 2026 Patch Tuesday updates, addressing 78 security vulnerabilities across its product portfolio, including three zero-day flaws that are confirmed to be under active exploitation.

The three exploited vulnerabilities include CVE-2026-26234, a privilege escalation flaw in the Windows Common Log File System (CLFS); CVE-2026-26235, a remote code execution vulnerability in Microsoft Office; and CVE-2026-26236, a security feature bypass in Windows SmartScreen.

"The CLFS vulnerability is particularly concerning because it's being used in ransomware attacks," said Robert Fischer, senior security analyst at PatchPoint Research. "We've seen multiple threat actors adopting this exploit within days of its apparent discovery."

Of the 78 total vulnerabilities, 11 are rated Critical and 67 are rated Important. The updates affect Windows, Office, Azure, .NET, Visual Studio, and several other Microsoft products.

The Office RCE vulnerability (CVE-2026-26235) can be exploited through specially crafted documents and is being used in targeted attacks against organizations in the financial and legal sectors, according to Microsoft's advisory.

Security experts are urging organizations to prioritize these patches, particularly the three actively exploited flaws. "The window between patch release and widespread exploitation has collapsed to hours in many cases," noted security researcher Amanda Collins. "Organizations need to have processes in place for emergency patching."

Microsoft also announced extended security updates will be available for Windows 10, which reaches end of support in October 2026, for organizations that need additional time to migrate.