Microsoft's May 2026 Patch Tuesday: 139 Fixes, No Zero-Days, but Critical Risks Remain

By — min read

Overview of May 2026 Patch Tuesday

Microsoft has released its May 2026 Patch Tuesday update, delivering a total of 139 security fixes across Windows, Office, .NET, and SQL Server. Unlike previous months, this batch contains no zero-day vulnerabilities—yet it still demands urgent attention. Security experts recommend a “Patch Now” approach for both Windows and Office, thanks to a handful of remote code execution (RCE) flaws and lingering configuration issues.

Microsoft's May 2026 Patch Tuesday: 139 Fixes, No Zero-Days, but Critical Risks Remain — Source: www.computerworld.com

Critical Vulnerabilities Demand Immediate Action

While the absence of zero-days might seem reassuring, the May update includes several high-severity vulnerabilities that can be exploited without authentication, including three unauthenticated network RCEs. Below are the key threats you need to know about.

Netlogon, DNS Client, and SSO Plugin RCEs

Three unauthenticated network RCEs affect Netlogon, the DNS Client service, and the SSO Plugin for Jira and Confluence. These vulnerabilities allow attackers to execute arbitrary code on affected systems without any user interaction. Given their network-based attack vector, internet-facing services and domain controllers are at high risk.

Word Preview Pane RCEs (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367)

Four critical RCEs (CVSS 8.4) reside within the Microsoft Word Preview Pane. Two of these—CVE-2026-40361 and CVE-2026-40364—are flagged as “Exploitation More Likely” by Microsoft. The attack vector is simple: merely viewing a malicious document in Outlook’s Preview Pane or File Explorer can trigger exploitation. This makes them especially dangerous for organizations that rely on email preview features.

TCP/IP Vulnerability Cluster

A large cluster of vulnerabilities in the TCP/IP stack also demands attention. While details are limited, these flaws can lead to remote code execution, and they affect a wide range of Windows versions. The sheer number of fixes in this area suggests a systemic issue that should be prioritized in testing.

Known Issues to Watch

Although this Patch Tuesday arrives with relatively few reported problems, two known issues remain active and require monitoring.

BitLocker Recovery Condition Persists

Windows 10 and Windows Server customers remain exposed to the April 2026 BitLocker recovery condition. This affects devices configured with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 (Platform Configuration Register 7) profile. The issue can force systems into BitLocker recovery mode after a reboot, potentially causing operational disruptions.

Automatic Graphics Driver Downgrades

Microsoft also acknowledged on the Hardware Dev Center that Windows Update may replace manually installed graphics drivers with older OEM versions from the catalog. This happens because the update ranking uses four-part Hardware IDs rather than version numbers. The result: “Customers who actively manage their display drivers experience unwanted downgrades through Windows Update.” IT teams should verify driver versions post-update.

Issues Resolved

The May update also brings important fixes for earlier problems. Here’s what has been addressed.

KB5089549 for Windows 11 25H2 and 24H2

This cumulative update resolves the April PCR7/BitLocker recovery condition on Windows 11 (both 25H2 and 24H2). It also improves Boot Manager servicing, ensuring that subsequent boot file updates no longer trigger unexpected recovery events. Organizations that postponed updates due to this issue should now move forward.

Secure Boot Certificate Distribution

Microsoft has added a new C:\Windows\SecureBoot folder containing automation scripts for IT teams. These scripts assist with rolling out the Windows UEFI CA 2023 key replacement under CVE-2023-24932. This is critical because the 2011 certificates are set to expire between June and October 2026. The new folder simplifies the key rotation process.

Simple Service Discovery Protocol (SSDP) Improvement

The Simple Service Discovery Protocol (SSDP) notification reliability has been improved, making the service less likely to become unresponsive under sustained load. This fix is relevant for networks running UPnP device discovery, which can generate heavy SSDP traffic.

Mitigation and Deployment Guidance

Given the nature of the May vulnerabilities, the Readiness team recommends an accelerated deployment schedule. Testing should begin with internet-facing services, followed by domain controllers and Office endpoints. Pay special attention to the Word Preview Pane RCEs: Microsoft advises users to avoid previewing untrusted documents in Outlook or File Explorer until patches are fully deployed.

For a full breakdown by product family and deployment risk assessment, refer to the May 2026 Assurance Security Dashboard. More details on recent Patch Tuesday releases are available at the top of this article.

Remember: while there are no zero-days this month, the combination of unauthenticated network RCEs, Preview Pane attacks, and the ongoing BitLocker issue means that delaying the patch cycle is not an option. Plan your testing, prioritize high-risk assets, and apply the updates as soon as possible.

Tags: