May’s Patch Tuesday fixes 78 Microsoft vulnerabilities, including five zero-days and two publicly disclosed flaws. Compared to last month, that’s a decent reduction, but there is still plenty to cover.

Let’s look at the five vulnerabilities that CISA added to the list of known exploited vulnerabilities:

CVE-2025-30400 (CVE score 7.8 out of 10): a Use after free (UAF) vulnerability in Windows Desktop Window Manager (DWM) allows an authorized attacker to elevate privileges locally.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, this can lead to corruption of valid data and the execution of arbitrary code on affected systems.

CVE-2025-32701 (CVE score 7.8 out of 10): a Microsoft Windows Common Log File System (CLFS) driver UAF vulnerability which allows an authorized attacker to elevate privileges locally.

CVE-2025-32706 (CVE score 7.8 out of 10): Microsoft Windows CLFS driver heap-based buffer overflow vulnerability.

Buffers are areas of memory set aside to hold data or executable code. When a buffer overflow happens, it can overwrite adjacent memory areas, which may contain other data or executable code. This overwriting is not a deliberate action but an unintended consequence of the vulnerability, which could be exploited by an attacker.

Heap memory refers to a region of a computer’s memory used for dynamic memory allocation. Due to the complex nature of heap memory, vulnerabilities are usually hard to exploit.

CVE-2025-30397 (CVE score of 7.5 out of 10): a Microsoft Windows Scripting Engine type confusion vulnerability. An attacker who successfully exploited this vulnerability could initiate remote code execution.

Windows Scripting Engine is a language-independent system that can use different scripting languages, including VBScript and JavaScript. Microsoft describes it as an administration tool that can be used for a variety of purposes, including logon scripts, administration, and general automation.

CVE-2025-32709 (CVE score 7.8 out of 10): a UAF vulnerability in the Windows Ancillary Function driver for WinSock allows an authorized attacker to elevate privileges locally.

The Windows Ancillary Function driver for WinSock is a core part of how Windows handles network connections. It acts as a bridge between software on your computer, such as your web browser or email client, and network hardware, such as your network card.

Other vendors

Apple released security updates for iOS, iPadOS, and macOS.

Commvault released a patch for a critical webserver vulnerability.

Google released the May 2025 Android Security Bulletin which fixes 47 vulnerabilities, including one zero-day.

SAP released May security updates including an unrestricted file upload vulnerability that Federal Civilian Executive Branch agencies need to fix by May 20, 2025.

SonicWall patched a zero-day VPN vulnerability that was exploited in attacks.