May Patch Tuesday 2026: 139 Updates Without Zero-Days – What You Need to Know
Microsoft's May 2026 Patch Tuesday delivered 139 updates spanning Windows, Office, .NET, and SQL Server, notably skipping Exchange Server. Despite no zero-day vulnerabilities, the release demands immediate attention due to critical remote code execution flaws and lingering issues from April. IT teams must prioritize internet-facing services, domain controllers, and Office endpoints. Below, we break down the key questions and answers about this month's security bulletin.
How many updates did Microsoft release in May Patch Tuesday, and which products were affected?
The May 2026 Patch Tuesday includes 139 updates affecting Windows (all supported versions), Office (including Word, Outlook, and other suite components), .NET Framework, and SQL Server. Notably, there were no patches for Microsoft Exchange Server this month. The update volume is consistent with recent months, but the severity distribution leans heavily toward remote code execution (RCE) vulnerabilities, especially in networking components and the Office preview pane. IT administrators should verify their inventory covers all affected products, as some updates may require separate deployment steps for .NET or SQL Server.
Were there any zero-day vulnerabilities addressed in this Patch Tuesday?
No, the May 2026 Patch Tuesday contains zero zero-day vulnerabilities that were publicly disclosed or actively exploited at the time of release. While the absence of zero-days reduces immediate emergency patching pressure, the update still carries significant risk. The combination of multiple unauthenticated network RCEs (CVSS scores up to 8.4) and Word Preview Pane RCEs means attackers can compromise systems without user interaction. Microsoft’s “Exploitation More Likely” assessment for two of the Word RCEs further emphasizes the need for swift deployment.
What are the most critical vulnerabilities IT teams should prioritize?
The top priorities include three unauthenticated network RCEs affecting Netlogon, DNS Client, and the SSO Plugin for Jira and Confluence. Additionally, four Microsoft Word Preview Pane RCEs (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) carry a CVSS 8.4 critical rating. The TCP/IP vulnerability cluster also warrants attention. The BitLocker recovery condition from April remains active on Windows 10 and Windows Server, requiring separate mitigation. The known issues section details carry-over problems. Microsoft recommends testing begins with internet-facing servers, domain controllers, and Office end-user devices.
What known issues exist after installing the May updates?
Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025 are reported as clean, but two issues persist:
- BitLocker recovery condition (from April) still affects Windows 10 and Windows Server devices that use the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy with an invalid PCR7 profile.
- Graphics driver downgrade bug: Windows Update may replace manually-installed graphics drivers with older OEM versions because Microsoft’s ranking uses four-part Hardware IDs instead of version numbers. IT teams actively managing display drivers may experience unwanted downgrades.
What issues were resolved in the May Patch Tuesday?
Several key fixes address previous problems:
- KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition. It also improves Boot Manager servicing to prevent future boot file updates from triggering recovery.
- Secure Boot certificate distribution now creates a
C:\Windows\SecureBootfolder with automation scripts for IT teams deploying the Windows UEFI CA 2023 key replacement (CVE-2023-24932) before 2011 certificate expirations (June–October 2026). - Simple Service Discovery Protocol (SSDP) reliability improves, reducing unresponsiveness under sustained load—important for networks with UPnP device discovery.
What mitigation advice did Microsoft offer for the Word Preview Pane RCEs?
Microsoft specifically highlighted four critical RCEs in the Microsoft Word Preview Pane: CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367. All are rated CVSS 8.4, with the first two flagged “Exploitation More Likely.” The attack vector is the Preview Pane—viewing a malicious document in Outlook or File Explorer is enough to trigger exploitation. Microsoft advises organizations to:
- Apply the Office updates immediately, especially on systems that use Outlook or File Explorer with preview enabled.
- Consider disabling the Preview Pane temporarily if updates cannot be deployed quickly.
- Monitor for unusual document-based attacks on endpoints.
Is the BitLocker recovery condition from April fully fixed?
No, the fix is only partial this month. KB5089549 resolves the condition for Windows 11 25H2 and 24H2, but Windows 10 and Windows Server devices remain vulnerable if they have the problematic Group Policy setting and invalid PCR7 profile. Microsoft acknowledges this carry-over issue and expects a future update to address it fully. In the meantime, IT admins should check affected systems and consider temporary policy adjustments to avoid accidental BitLocker recovery prompts. The graphics driver downgrade bug also remains unresolved.