Microsoft Ends Two-Year Zero-Day Streak in May 2026 Patch Tuesday

By- Satnam Narang, Senior Staff Research Engineer at Tenable

The May 2026 Patch Tuesday Release breaks a long-standing streak as the first release in nearly two years not to include a zero-day. Every release since July 2024 has included at least one zero-day either exploited or publicly disclosed, averaging 3.5 per month across a 22-month streak.

Five months into 2026, Microsoft has already patched over 500 CVEs, putting it on pace to surpass 2020's record of 1,245 for a single calendar year.

A couple of vulnerabilities stand out in this release. Microsoft patched four critical remote code execution bugs in Microsoft Word, all with the same CVSS scores (8.4), but only two (CVE-2026-40361, CVE-2026-40364) are considered more likely to be exploited. These flaws could be exploited by an attacker who sends a malicious document to a target. The other common thread across these vulnerabilities is that a target doesn’t need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane. Therefore, patching is the most reliable way to protect against flaws like these.