May 2026 Patch Tuesday: 139 Fixes Without Zero-Days, but Critical Vulnerabilities Demand Urgent Action
Overview of the May 2026 Patch Tuesday Release
Microsoft has rolled out an extensive collection of updates this May, totaling 139 patches that span Windows, Office, .NET Framework, and SQL Server. Notably absent from this bundle are fixes for Microsoft Exchange Server, and for the first time in months, no zero-day vulnerabilities were addressed. While this might sound like a quiet month, the volume and severity of the issues being patched make it anything but routine. Security experts recommend a Patch Now approach for both Windows and Office, given the presence of several remotely exploitable flaws.
Key Vulnerabilities in This Release
The May update addresses a mix of critical and important vulnerabilities that could allow attackers to take control of systems without user interaction. Among the most concerning are three unauthenticated network remote code execution (RCE) flaws: one in the Netlogon Remote Protocol (CVE-2026-XXXX), another in the DNS Client (CVE-2026-XXXX), and a third in the SSO Plugin for Jira and Confluence (CVE-2026-XXXX). Each of these can be exploited remotely without authentication, making them prime targets for wormable attacks.
Additionally, four critical RCE vulnerabilities in the Microsoft Word Preview Pane (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) were patched. All carry a CVSS score of 8.4, and two have been flagged as “Exploitation More Likely.” The attack vector is particularly insidious: simply viewing a malicious document in Outlook’s preview pane or File Explorer is enough to trigger exploitation. These flaws demand immediate attention from organizations that rely on Office applications.
A large cluster of vulnerabilities in the TCP/IP stack also received fixes, along with a carry-over issue from April: the BitLocker recovery condition affecting Windows 10 and Windows Server. This lingering problem continues to force systems into BitLocker recovery mode under specific Group Policy configurations, as discussed in our Known Issues section below.
Deployment Guidance and Risk Assessment
The May 2026 Assurance Security Dashboard, provided by the Readiness team, breaks down the patch cycle by Microsoft product family to help IT teams assess deployment risks. Given the breadth of critical fixes, an accelerated release schedule is warranted. Testing should begin with internet-facing services, domain controllers, and Office endpoints. For detailed historical context on previous Patch Tuesday releases, refer to our Patch Tuesday archive.
Known Issues in the May 2026 Patch Cycle
Despite a relatively clean bill of health for Windows 11 (24H2, 23H2), Windows 10 22H2, and Windows Server 2025, two known issues require attention:
- BitLocker Recovery on Windows 10 and Windows Server: Devices configured with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 (Platform Configuration Register 7) profile remain susceptible to the recovery prompt. This condition persists from the April update and has not yet been fully remediated for all affected platforms.
- Unwanted Graphics Driver Downgrades: Microsoft has acknowledged on the Hardware Dev Center that Windows Update can replace manually-installed graphics drivers with older OEM versions. This occurs because the update ranking uses four-part Hardware IDs rather than version numbers, meaning that “Customers who actively manage their display drivers experience unwanted downgrades through Windows Update.”
Issues Resolved in This Update
A few previously reported problems have been addressed in the May patches:
- KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition. It also improves Boot Manager servicing so that subsequent boot file updates do not inadvertently trigger recovery mode.
- Secure Boot Certificate Distribution now includes a new folder,
C:\Windows\SecureBoot, containing automation scripts for IT teams. These scripts assist in rolling out the Windows UEFI CA 2023 key replacement (under CVE-2023-24932) ahead of the 2011 certificate expirations scheduled between June and October 2026. - Simple Service Discovery Protocol (SSDP) Notification Reliability has been improved. The service is now less likely to become unresponsive under sustained load, which is especially relevant for networks using UPnP device discovery.
Mitigation Advice for Word Preview Pane RCEs
Given the severity of the Word Preview Pane vulnerabilities, Microsoft has provided explicit mitigation advice:
- CVE-2026-40361 and CVE-2026-40364 are rated critical (CVSS 8.4) and marked “Exploitation More Likely.” The other two (CVE-2026-40366 and CVE-2026-40367) share the same CVSS score but are currently listed as “Exploitation Less Likely.”
- Because the attack vector is the Preview Pane in Outlook or File Explorer, the simplest mitigation is to disable the preview pane in both applications until the patches are applied. However, applying the updates themselves is the strongest defense.
- Additionally, administrators should restrict macro execution and consider using Protected View for documents from external sources.
Conclusion
While the absence of zero-days in May 2026’s Patch Tuesday may offer a brief sigh of relief, the sheer number of critical remote code execution vulnerabilities—especially those affecting network protocols and Office applications—underscores the need for prompt deployment. Organizations should prioritize testing and rolling out these updates, focusing first on internet-facing systems and Office endpoints. The known BitLocker issue on Windows 10 and Windows Server should also be monitored, even as fixes for newer systems roll out. Stay vigilant and keep your patch management process agile.