Microsoft's May 2026 Patch Tuesday: 139 Updates, No Zero-Days, but Critical RCEs Demand Urgent Action

Overview of the May 2026 Patch Tuesday Release

Microsoft has rolled out 139 security updates this May, covering Windows, Office, .NET, and SQL Server. Notably, Microsoft Exchange Server received no patches this month. While the absence of zero-day vulnerabilities is a relief, the sheer volume and severity of the fixes—especially three unauthenticated network remote code execution (RCE) flaws in Netlogon, DNS Client, and the SSO Plugin for Jira and Confluence—make this a release that cannot be delayed. The known issues and resolved problems further underscore the need for prompt action.

Key Vulnerabilities and Deployment Priorities

The May update includes a cluster of critical RCEs that demand accelerated testing and deployment. Beyond the three network-based RCEs, there are four Word Preview Pane RCEs (CVSS 8.4, with two flagged “Exploitation More Likely”), a large set of TCP/IP vulnerabilities, and a lingering BitLocker recovery condition still affecting Windows 10 and Windows Server. The Readiness team recommends starting tests with internet-facing services, domain controllers, and Office endpoints. For a detailed risk breakdown by product family, refer to the latest Assurance Security Dashboard.

Known Issues

This Patch Tuesday arrives with a relatively clean bill of health for Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025. However, two issues warrant attention:

• BitLocker recovery on Windows 10/Server: Devices configured with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 profile remain exposed to the recovery condition first reported in April 2026.
• Graphics driver downgrades: Microsoft acknowledged on the Hardware Dev Center that Windows Update may replace manually-installed graphics drivers with older OEM versions. The ranking system uses four-part Hardware IDs instead of version numbers, causing unwanted downgrades for users who actively manage display drivers.

Issues Resolved

Several important fixes are included in this release:

• KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition and improves Boot Manager servicing, preventing future boot file updates from triggering recovery.
• Secure Boot certificate distribution adds a new C:\Windows\SecureBoot folder with automation scripts for IT teams rolling out the Windows UEFI CA 2023 key replacement (CVE-2023-24932), ahead of the 2011 certificate expirations between June and October 2026.
• Simple Service Discovery Protocol (SSDP) notification reliability improves, making the service less likely to become unresponsive under sustained load—a benefit for networks using UPnP device discovery.

Major Revisions and Mitigations

Given the Preview Pane vulnerabilities, Microsoft has issued mitigation advice. The four Microsoft Word Preview Pane RCEs (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) are critical at CVSS 8.4, with the first two flagged “Exploitation More Likely.” The Preview Pane serves as the attack vector—simply viewing a malicious document in Outlook or File Explorer is enough to trigger exploitation. Organizations should prioritize patching Office systems and remind users to avoid previewing untrusted documents until updates are applied.

For full details on all 139 updates, including the TCP/IP cluster and other resolved vulnerabilities, review the known issues section and the official Microsoft Security Response Center bulletins.