Executive Summary
May 2026 demonstrated why severity and patch priority are not the same thing. This report prioritizes vulnerabilities based on enterprise risk reduction, emphasizing internet-facing infrastructure, network-accessible attack paths (AV:N), proof-of-concept availability, active exploitation, and customer-actionable remediation.
| Priority | CVE | Product | Category |
|---|---|---|---|
| 1 | CVE-2026-0257 | Palo Alto GlobalProtect | Perimeter Access Infrastructure |
| 2 | CVE-2026-41096 | Windows DNS | Network Service |
| 3 | CVE-2026-42897 | Microsoft Exchange Server | Email Infrastructure |
| 4 | CVE-2026-40365 | Microsoft SharePoint Server | Collaboration Infrastructure |
| 5 | May 2026 Word CVEs | Microsoft Word | Client-Side Code Execution |
| 6 | May 2026 Excel CVEs | Microsoft Excel | Client-Side Code Execution |
| 7 | May 2026 Edge CVEs | Microsoft Edge | Browser Exploitation |
| 8 | CVE-2026-40402 | Hyper-V | Virtualization Infrastructure |
| 9 | CVE-2026-31431 | Linux Kernel | Privilege Escalation |
| 10 | CVE-2026-40398 | Remote Desktop Services | Privilege Escalation |
Priority Tiers
Tier 1 – High Priority
CVE-2026-0257, CVE-2026-41096, and CVE-2026-42897 should be prioritized immediately due to their exposure, attack-path characteristics, and potential organizational impact.
Tier 2 – Medium Priority
SharePoint, Word, Excel, and Edge vulnerabilities should follow rapidly due to their prevalence and role in common intrusion chains.
Tier 3 – Infrastructure Hardening
Hyper-V, Linux kernel, and Remote Desktop Services vulnerabilities remain important but generally represent post-compromise or specialized attack paths.
Informational Only – No Customer Patching Required
Cloud-side remediated vulnerabilities, including Azure DevOps and other Microsoft-managed services where vendor guidance states no customer action is required, should be tracked by governance teams but excluded from patch deployment prioritization.
CSO Takeaway
The most important lesson from May 2026 is that vulnerability severity does not equal patch priority. Organizations should focus first on internet-facing authentication systems, network-accessible enterprise services, email and collaboration platforms, client-side productivity software, virtualization infrastructure, and finally local privilege escalation vulnerabilities.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
