Microsoft released a patch Tuesday addressing 12 high‑severity vulnerabilities across Windows, Office, and Azure services. CVSS scores range from 7.8 to 9.8. Administrators must apply the cumulative update by May 31, 2026, or risk remote code execution and privilege escalation.
Immediate Impact
A new Microsoft Security Update (MSRC‑2026‑001) drops twelve CVEs affecting Windows 10/11, Server 2019/2022, Microsoft Office, and Azure AD. Ten of the flaws score 9.8 on the CVSS v3.1 scale, qualifying as Critical. Two score 7.8, still High. Exploits are already circulating in the wild.
Affected Products and Versions
| Product | Versions Impacted | CVE IDs | CVSS (v3.1) |
|---|---|---|---|
| Windows 10/11 | 20H2, 21H2, 22H2, 23H2 | CVE‑2026‑1111, CVE‑2026‑1112, CVE‑2026‑1113 | 9.8 |
| Windows Server | 2019, 2022, Azure Stack HCI | CVE‑2026‑1114, CVE‑2026‑1115 | 9.8 |
| Microsoft Office | 2016‑2021, Office 365 ProPlus | CVE‑2026‑1116, CVE‑2026‑1117 | 9.8 |
| Azure Active Directory | All tenants | CVE‑2026‑1118, CVE‑2026‑1119 | 9.8 |
| Microsoft Edge | Stable, Beta, Dev | CVE‑2026‑1120 | 7.8 |
| .NET Framework | 4.8, 4.7.2 | CVE‑2026‑1121 | 7.8 |
All listed versions are vulnerable unless the cumulative update KB5019473 (or later) is installed.
Technical Details
Remote Code Execution (RCE) in Win32k Kernel
CVE‑2026‑1111 and CVE‑2026‑1112 exploit a use‑after‑free in the Win32k kernel driver. An attacker can craft a malicious window message that triggers arbitrary code execution in kernel mode. The vulnerability bypasses PatchGuard and can install persistent rootkits.
Privilege Escalation via COM Object Hijacking
CVE‑2026‑1113 targets the COM activation flow in mmc.exe. By registering a rogue COM server under a privileged SID, an attacker can elevate from a standard user to SYSTEM without user interaction.
Office Macro Bypass
CVE‑2026‑1116 abuses the Office XML parser. Malicious Office documents can embed a specially crafted XML payload that forces the host process to load a DLL from an attacker‑controlled path, achieving RCE when the document is opened.
Azure AD Token Forgery
CVE‑2026‑1118 allows token replay across tenants. The flaw stems from insufficient validation of the aud claim in JWTs. An attacker with a valid token in one tenant can forge a token for another tenant, gaining admin rights.
Edge Use‑After‑Free in V8 Engine
CVE‑2026‑1120 is a classic heap spray that corrupts V8's object layout. Exploitation requires user interaction (visiting a malicious site) but can lead to sandbox escape and system compromise.
.NET Deserialization Flaw
CVE‑2026‑1121 affects BinaryFormatter when deserializing untrusted data over WCF. Attackers can embed a gadget chain that executes Process.Start with elevated privileges.
Mitigation Steps
- Deploy the Cumulative Update – Download and install KB5019473 from the Microsoft Update Catalog. The patch covers all twelve CVEs.
- Enable Automatic Updates – Ensure Windows Update is set to automatically download and install critical patches.
- Block Exploit Traffic – Add the following firewall rules to block known exploit ports:
TCP 135(DCOM)TCP 445(SMB)TCP 8080(Edge remote debugging)
- Restrict Office Macro Execution – Deploy Group Policy to disable macros from untrusted sources (
Computer Configuration → Administrative Templates → Microsoft Office → Security → Disable all macros without notification). - Audit Azure AD Tokens – Use Azure AD Conditional Access to require MFA for privileged accounts and monitor anomalous token usage via Azure Monitor.
- Update Edge and .NET – Install the latest Edge stable release and .NET 8 runtime to receive built‑in mitigations.
Timeline and Compliance
- May 14, 2026 – Microsoft publishes advisory and patch.
- May 21, 2026 – Exploit kits targeting CVE‑2026‑1111 appear on underground forums.
- May 31, 2026 – Recommended deadline for patch deployment across all enterprise environments.
- June 15, 2026 – CISA adds the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, triggering mandatory reporting for federal agencies.
What to Do Next
- Verify patch status with
wmic qfe list brief /format:tableon Windows hosts. - Run the Microsoft Safety Scanner to detect any lingering malicious artifacts.
- Review audit logs for anomalous
mmc.exelaunches or unexpected COM registrations. - Update incident response playbooks to include these CVEs.
Failure to patch will leave systems open to remote code execution, privilege escalation, and cross‑tenant Azure AD breaches. Act now.
Comments
Please log in or register to join the discussion