May Patch Tuesday Delivers 139 Fixes, No Zero-Days — But Critical Network and Word RCEs Force Urgent Patching
Microsoft's May Patch Tuesday includes 139 updates, no zero-days, but critical unauthenticated RCEs in Netlogon, DNS Client, and Word Preview Pane require immediate attention.
Breaking: May 2026 Patch Tuesday
Microsoft released 139 security updates on Tuesday, covering Windows, Office, .NET, and SQL Server. Despite the absence of zero-day vulnerabilities, the bundle includes several critical remote code execution (RCE) flaws that demand immediate action.
The most pressing issues are three unauthenticated network RCEs in Netlogon, DNS Client, and the SSO Plugin for Jira and Confluence, alongside four Word Preview Pane RCEs rated critical (CVSS 8.4). The large TCP/IP vulnerability cluster and the lingering BitLocker recovery condition on Windows 10 and Windows Server add further urgency.
“This is not a month to delay patching,” said Chris Goettl, vice president of security product management at Readiness. “The combination of network-level RCEs and Word Preview Pane vulnerabilities creates multiple attack paths that adversaries can exploit without user interaction.”
Background: What's in the Bundle
May’s Patch Tuesday marks the monthly update cycle for Microsoft products. While no zero-days were reported, the severity of the vulnerabilities—especially those that can be triggered over the network or via email preview panes—makes accelerated deployment necessary.
The Readiness team recommends testing start with internet-facing services, domain controllers, and Office endpoints. The May 2026 Assurance Security Dashboard categorizes updates by product family to help organizations assess deployment risk.
Known Issues to Watch
Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025 arrived with a clean bill of health regarding reported issues. However, two problems require attention.
BitLocker Recovery Condition: Windows 10 and Windows Server devices remain exposed to the April 2026 BitLocker recovery issue if they have the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy set and an invalid PCR7 profile. “Organizations still running Windows 10 need to check their BitLocker configurations,” Goettl warned.
Graphics Driver Downgrades: Microsoft acknowledged on the Hardware Dev Center that Windows Update may replace manually-installed graphics drivers with older OEM versions because its ranking uses four-part Hardware IDs rather than version numbers. This can cause unwanted downgrades for users who actively manage their display drivers.
Resolved Issues
KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition. It also improves Boot Manager servicing so subsequent boot file updates no longer trigger recovery.
Secure Boot certificate distribution now adds a C:\Windows\SecureBoot folder with automation scripts for IT teams rolling out the Windows UEFI CA 2023 key replacement under CVE-2023-24932. This is ahead of 2011 certificate expirations between June and October 2026.
Simple Service Discovery Protocol (SSDP) notification reliability improves, reducing the service’s chance of becoming unresponsive under sustained load—important for networks using UPnP device discovery.
Major Revisions and Mitigations
Microsoft offered mitigation advice for the Word Preview Pane RCEs (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). All are critical at CVSS 8.4, with the first two flagged “Exploitation More Likely.” The attack vector is the Preview Pane; simply viewing a malicious document in Outlook or File Explorer can trigger exploitation. Organizations are urged to apply the updates immediately and consider disabling the Preview Pane as a temporary workaround.
What This Means for Organizations
IT teams should prioritize patching internet-facing systems, domain controllers, and Office endpoints first. The network RCEs allow attackers to execute code without authentication, while the Word Preview Pane flaws can infect systems through email or file explorer previews. Delaying deployment could leave critical infrastructure exposed to remote attacks.
“The lack of zero-days should not create a false sense of security,” Goettl emphasized. “These vulnerabilities are highly exploitable and require immediate attention. Use the Assurance Dashboard to prioritize and test updates efficiently.”
For ongoing information, check the Microsoft Security Response Center update guide and the Readiness Patch Tuesday hub.