{“lastseen”:”2026-05-13T12:05:07″,”description”:”This month\u2019s Patch Tuesday remedies 137 security vulnerabilities, including 31 marked critical by Microsoft, with no zero-days actively exploited in the wild.\\n\\nMicrosoft defines a zero-day as \u201ca flaw in software for which no official patch or security update is available yet.\u201d This month, Microsoft has not observed any included vulnerability being exploited in production environments.\\n\\nStill, this release is far from low-risk. A large chunk of the critical bugs allow remote code execution (RCE) across Windows services, Office, Azure, SharePoint, and graphics components. That means attackers who trick a user into opening a malicious document or lure them into connecting to a malicious service could gain full control of a system.\\n\\n## Two vulnerabilities to prioritize\\n\\nFrom that list, we selected two that look like they could cause some trouble.\\n\\nFirst is CVE-2026-40361, which has a CVSS score of 8.4 out of 10. It’s described as a critical use-after-free vulnerability in Microsoft Word that could allow an attacker to execute code locally on the affected system.\\n\\nUse-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program\u2019s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.\\n\\nSo, if an attacker convinces a user to open a malicious Word document, or even previews the file, they could execute arbitrary code with the privileges of the current user. That\u2019s often enough to install malware, steal credentials, or move laterally through a network.\\n\\nSecond is CVE-2026-35421 (CVSS score 7.8 out of 10). This is a critical heap-based buffer overflow in Windows Graphics Device Interface (GDI). A buffer overflow occurs when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. Microsoft notes:\\n\\n\\u003e \u201cFor this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. This action is necessary to trigger the affected graphics functionality in the Windows component.\u201d\\n\\n* * *\\n\\n\\n\\n### ****Real-time protection. Zero effort.** **\\n\\nTRY FREE\\n\\n* * *\\n\\n## How to apply fixes and check if you\u2019re protected\\n\\nThese updates fix security problems and keep your Windows PC protected. Here\u2019s how to make sure you\u2019re up to date:\\n\\n1\\\\. Open **Settings**\\n\\n * Click the **Start** button (the Windows logo at the bottom left of your screen).\\n * Click on **Settings** (it looks like a little gear).\\n\\n\\n\\n2\\\\. Go to **Windows Update**\\n\\n * In the Settings window, select **Windows Update** (usually at the bottom of the menu on the left).\\n\\n\\n\\n3. **Check for updates**\\n\\n * Click the button that says **Check for updates**.\\n * Windows will search for the latest Patch Tuesday updates.\\n * If you have selected to **get the latest updates as soon as they\u2019re available** , you may see this under **More options**.\\n * In which case you may see a **Restart required** message. Restart your system and the update will complete. \\n\\n * If not, continue with the steps below.\\n\\n\\n\\n4. **Download and Install** If updates are found, they\u2019ll start downloading automatically. Once complete, you\u2019ll see a button that says **Install** or **Restart now**.\\n\\n * Click **Install **if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click **Restart now**.\\n\\n\\n\\n**5\\\\. Double-check you\u2019re up to date**\\n\\n * After restarting, go back to **Windows Update** and check again. If it says **You\u2019re up to date** , you\u2019re all set!\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-05-13T11:00:45″,”modified”:”2026-05-13T11:00:45″,”type”:”malwarebytes”,”title”:”May 2026 Patch Tuesday: no zero-days but plenty to fix”,”source”:””,”references”:””,”id”:”MALWAREBYTES:5B11063C3CEECFA405712460ABA2FAF8″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-35421″,”CVE-2026-40361″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.4,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/05\/may-2026-patch-tuesday-no-zero-days-but-plenty-to-fix”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-13T12:05:07″,”description”:”This month\u2019s Patch Tuesday remedies 137 security vulnerabilities, including 31 marked critical by Microsoft, with no zero-days actively exploited in the wild.\\n\\nMicrosoft defines a zero-day…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,74,12,15,115,13,7,11,5],"class_list":["post-54012","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-84","tag-exploit","tag-high","tag-malwarebytes","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n