No Zero-Days and High Criticals: The May 2026 Windows Patch Tuesday Breakdown

Posted on by Martin Brinkmann

If April 2026 was an avalanche of patches, May brings a welcome breather from zero-days but keeps the critical severity count high.

Microsoft’s fifth Patch Tuesday of 2026 has arrived, addressing 120 vulnerabilities in total. While it breaks a long-standing streak by featuring zero publicly disclosed or actively exploited zero-day flaws, the sheer volume of severe remote code execution (RCE) bugs demands attention.

The update contains 17 critical flaws affecting a wide range of enterprise products, including Windows Netlogon, DNS Client, Azure DevOps, and Microsoft Word.

Here is the breakdown of what you need to know, what to patch first, and what might break.

You can download an Excel spreadsheet with information about the patches that Microsoft released:

windows-updates-may-2026Download

The May 2026 Patch Day overview

Executive Summary

  • Release Date: May 12, 2026
  • Total Vulnerabilities: 120
  • Critical Vulnerabilities: 17
  • Zero-Days: 0

Key Action Item: Administrators must prioritize patching network-exposed infrastructure, specifically domain controllers affected by the Netlogon vulnerability (CVE-2026-41089) and systems running the Windows DNS Client. Simultaneously, Microsoft Office installations need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities that can be triggered simply via the Windows Preview Pane.

Important Patches

  • CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability
  • CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability
  • CVE-2026-42826 — Azure DevOps Information Disclosure Vulnerability
  • CVE-2026-40364 — Microsoft Office Word Remote Code Execution Vulnerability
  • CVE-2026-40402 — Windows Hyper-V Elevation of Privilege Vulnerability
  • CVE-2026-32185 — Microsoft Teams Spoofing Vulnerability

Cumulative Updates

Product, VersionLinksNotes
Windows 11 & Windows 10KB5087544 (Windows 10)
KB5089549 (Windows 11)		Security updates addressing OS-level RCEs in Netlogon, DNS Client, and Windows Graphics components (Win32k). Also resolves various Elevation of Privilege flaws across the Windows Kernel.

Deep Dive: The Critical Vulnerabilities

Microsoft confirmed that it patched zero 0-day vulnerabilities this Patch Day, but addressed a heavy enterprise focus of critical remote code execution and information disclosure flaws.

Here is the critical overview:

CVE-2026-41089 (Windows Netlogon Remote Code Execution Vulnerability)

A critical stack-based buffer overflow flaw (CVSS 9.8) affecting Windows Netlogon. A remote, unauthenticated attacker could exploit this by sending a crafted network request to a Windows server running as a domain controller. If successful, this causes the Netlogon service to improperly handle the request, allowing the attacker to execute malicious code without requiring any prior access or credentials.

CVE-2026-41096 (Windows DNS Client Remote Code Execution Vulnerability)

This critical heap-based buffer overflow vulnerability (CVSS 9.8) affects the Windows DNS service. It allows remote code execution over the network and can be exploited by sending a malicious DNS response, triggering memory corruption within the Windows DNS client. Depending on the configuration, an unauthenticated attacker can achieve full RCE.

CVE-2026-42826 (Azure DevOps Information Disclosure Vulnerability)

This is the highest-rated flaw this month, boasting a perfect CVSS score of 10.0. While Microsoft withheld specific exploitation details, a perfect severity score indicates that unauthenticated attackers could potentially access highly sensitive enterprise data, credentials, and source code stored or handled in Azure DevOps.

CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367 (Microsoft Word RCE Vulnerabilities)

A cluster of critical vulnerabilities in Microsoft Word (CVSS 8.4) that allow an unauthorized attacker to execute code locally. Notably, these flaws can be triggered through the Windows Preview Pane, meaning a user only needs to preview a specially crafted document to be compromised, without ever fully opening the file.

CVE-2026-40402 (Windows Hyper-V Elevation of Privilege Vulnerability)

A severe flaw (CVSS 9.3) allowing for a guest-to-host escape in Windows Hyper-V. By targeting certain hardware device registers, an attacker operating from within a guest virtual machine can escape the isolated environment and gain SYSTEM privileges on the underlying host system.

First Steps: Your Patch Tuesday Strategy

  • Prioritize Domain Controllers (Netlogon) and DNS Client services
  • Address high-risk Azure deployments (DevOps, Cloud Shell)
  • Update Office installations immediately to mitigate Preview Pane risks

Expect more Firefox updates in the future, beginning with Firefox 151

Posted on by Martin Brinkmann

Mozilla releases a new stable version of its open source Firefox web browser every four weeks. This new version introduces new features, bug and security fixes. Up until now, smaller updates were released between two major releases.

These point updates do not include new features usually but fix security issues and/or non-security issues. The releases were not predictable up until now. While you could almost be certain that a point update would be released, it was never really certain when.

This changes with the release of Firefox 151. Mozilla is switching to the same point update release rhythm that Google uses for its Chrome web browser currently.

Put simply, Mozilla plans to release a point update every week going forward. This means three Firefox point releases at the very same day of the week in-between major releases. Three point updates will follow the release of Firefox 151 and any other major browser release that follows.

The organization confirmed the change on the official Wiki (via Sören Hentzschel):

Starting with Fx151, we now have 3 weekly dot releases for Desktop and Android
Release calendar updates will be live shortly

Other than that, there is no explanation from Mozilla regarding the change yet. Considering that Google announced recently to shorten Chrome release cycles to two weeks, it is likely an attempt to stay ahead of major developments and push out fixes faster to the user base.

With AI helping Mozilla find security issues in Firefox, it is probably one reason why the organization decided to push out more updates to get these fixes on user systems as soon as possible.

Here is what happened so far in 2026

Posted on by Martin Brinkmann

This is going to be a rather personal look at the past couple of months and how things have evolved since then.

As you may know, Softonic, the Spanish company that acquired Ghacks years ago, sold it in a rather hasty deal. The writing was on the wall for some time, especially since the budget for the site was cut in half more or less. This meant less articles written and it fueled the spiral downwards.

We, the writers, were not in the loop. One day in December, we were told that the site had been sold. Our access was cut immediately and the entire team was fired passively. Later, I was asked if I wanted to write a good-bye article, but it was already too late for that in my opinion.

Anyway, this meant that I stopped writing for Ghacks after nearly 20 years of doing so more or less every day. It was tough for Ashwin as well, who lost his main source of income.

There is little chance that the Ghacks situation is going to change in the future.

For now, these are the places that you can find my articles or takes at:

  • Chipp.in, my personal blog: No ads, no tracking, tech news, some tutorials. I do not post as frequently as I’d like to.
  • Weekly Tech Insights: a newsletter published once a week. I recently started to integrate longer takes on certain tech news, also has tutorials and other nice stuff. Totally free.
  • Ask Woody Newsletter: I was approached by Will from the Ask Woody Newsletter some time ago and became a contributor. My plan is to submit articles to the newsletter regularly. Ashwin also started contributing.
  • Gamestar Tech: This is the online tech section of one of the biggest German gaming magazines. Contribute daily tech news in German.
  • Windows 11 Book: I have started working on the next revision of the book. Much has changed since 2024 and the book is in dire need of updating.

As far as personal sites are concerned, it is getting incredibly difficult to maintain them. AI tools are taking over, whether you like it or do not. More and more users will ask AI on search engine sites and elsewhere when they run into a problem or need an opinion or advice. This means less traffic to sites, which make less money as a consequence.

Many of my favorite tech news sites have vanished in the past couple of years. Google is changing its algorithm constantly and that usually means less visits. Yes, there are some holdouts, but even these face the problems.

You need to offer something that the competition or AI can’t bring to the table. And that is what I plan to do here. This site will never grow to Ghacks levels, as it is niche, not really indexed well in search engines. Means: only a handful of people will ever find it, unless an article gets suddenly pushed via a major Internet site.

My plan: grow slowly by word of mouth only, ignore search engines or AI, they are unpredictable. Build trust, never falter, never change. We will see how this goes.

New Windows 11 feature “Low Latency Profile” may boost app starts by up to 70 percent

Posted on by Martin Brinkmann

The time to go brew a coffee whenever you start a taxing program on Windows could soon be a thing of the past. Reports by Windows Central and other sources suggest that Microsoft is testing a new Low Latency Profile feature that could speed up the start of apps by up to 70 percent.

The idea behind the feature is straightforward: Boost the processors frequency for certain taxing tasks on the system to speed them up. Examples are the opening of apps, system flyouts, or the display of menus on the system.

According to Windows Central, app starts could be boosted by up to 40 percent while the launch times of interfaces could be boosted up to 70 percent.

Depending on the PC that you are using, these things may happen near instantly already all the time. Deskmodder tested the feature in an Insider build recently and concluded that it does not really help, if the PC in question is modern.

However, when a PC is older, it could indeed speed up certain options noticeably.

The new feature is part of Microsoft’s effort to improve the performance and stability of the operating system. It is but one of the changes that Microsoft is testing currently. Others include optimizing apps or code, or switching to modern interfaces.

The new Low Latency Profile feature runs in the background automatically. Whether there will be an option in Settings or elsewhere to disable the feature remains to be seen. It is likely that there will be at least a Group Policy and Regedit option to manage that.

Phantom of Earth posted the relevant IDs for the feature on X.

If you want to try out Low Latency Profile in recent Insider builds and see if it makes any difference, enable these feature IDs:

LowLatencyProfile: 60716524
LowLatencyProfileForApplicationLaunch: 61391826

Run .\vivetool /enable /id:60716524,61391826 in Terminal (elevated) to enable these.

Google introduces Approximate Location sharing in Chrome: here is what it does

Posted on by Martin Brinkmann

Mobile devices and web browsers support the sharing of the current location. This gives apps, websites and services access to a user’s location in the world. Ideally, to provide custom information, such as zooming to that location on a map, showing businesses nearby, providing directions, or loading specific information on a website.

While useful in that regard, location does reveal information about the user. The feature is usually locked behind a permission, but some apps may not start at all without it or block access to features.

Google announced on its official The Keyword blog that it is introducing approximate location sharing in Chrome. The feature lands in Chrome for Android first before it will also be introduced in the desktop versions of the browser.

Here is what it does: Google Chrome’s new Approximate Location Sharing feature enhances privacy by giving users a third option when websites request their whereabouts: sharing a general regional area rather than the exact coordinates. While users can still grant precise location access for tasks that genuinely need it—such as getting turn-by-turn navigation, placing a delivery order, or finding a nearby ATM—everyday browsing activities like checking local weather or reading regional news can now function perfectly well with just a neighborhood or city-level location.

In other words, websites and apps get information about a region a user is in and not the precise location. This new permission is intended for services that do not require accurate information and for users who do not want to share their exact location.

When a location prompt pops up on the mobile, users can now pick between “precise” and “approximate” and the usual options to “never allow”, “allow this time”, or “allow while visiting the site” options. Google says that the feature will land on desktop in Chrome in the coming months as well. For now, it is only available in Chrome for Android.

How useful is it for privacy? It can be used to share less-exact information about ones location. That is useful, especially for services that do not require it to function. If you want to get local news or weather, it does not really matter if the service that is providing the information knows the exact location or not. In that regard, it is a useful addition for users who share location but prefer it to be less exact whenever possible.

This is the new Firefox design that is currently in testing

Posted on by Martin Brinkmann

News leaked some time ago that Mozilla was working on a new design for its open source Firefox web browser. Now, with the most recent version of the cutting edge Nightly browser comes the first glimpse of that new design.

However, the new Firefox design is not enabled by default and it may take some time before that is going to be the case.

What is Project Nova?

Internally dubbed Project Nova, this redesign departs from Firefox’s current aesthetic in favor of a much softer, modern interface heavily characterized by rounded elements. The most striking changes include the address bar and tabs, which now sit within a segmented, “floating island” UI element.

Additionally, web page content no longer sits flush against the edges of the browser window; instead, it is elegantly framed within a rounded container. Combined with curved hover effects and refreshed icons, Nova gives Firefox a noticeably more fluid and approachable appearance.

Beyond its structural changes, the Nova redesign introduces a fresh splash of personality through customizable pastel gradients and vibrant color accents on the new tab page and menus. As the major successor to the “Proton” UI introduced in 2021, Nova also brings functional layout updates, including improved integration for vertical tabs, a built-in compact mode to decrease UI spacing, and a revamped settings page.

How to enable Nova in Firefox

Make sure that you have installed the latest version of Firefox Nightly. Nova will come to Beta and Stable Firefox eventually, but this may take some time. If you want to give Nova a try right now, you need the development version.

  1. Load about:config in the Firefox address bar.
  2. Search for browser.nova.enabled.
  3. Use the toggle at the end of the line to set the preference to True.
  4. Restart Firefox.

If all worked out, you should see first bits of the new design in action.

It is not the biggest of re-designs at the moment. In fact, depending on the theme and website, you may not even notice that much has changed to begin with.

Windows 11 KB5083769 Update Blocking Macrium Reflect and Backup Apps

Posted on by Martin Brinkmann

Imagine trying to secure your PC’s most important files, only to discover that your trusted backup software has been actively locked out by the operating system itself. That is exactly what is happening to Windows 11 users this week, as Microsoft has officially confirmed in a recently updated support document that its latest patches (KB5083769 and KB5083631) are intentionally blocking popular third-party backup applications like Macrium Reflect.

The Redmond giant explained that this disruptive change is the result of a strict new security hardening measure, which actively adds the psmounterex.sys kernel driver to the Microsoft Vulnerable Driver Blocklist to protect systems from known exploits—leaving affected users dealing with timeout errors and broken disk image mounting.

Microsoft confirms the change and that third-party backup software may be affected on a new support page. However, the company has not added any information about potential issues to the official KB release notes, making it difficult for affected users and also system administrators to investigate the issue.

According to the company, users and IT administrators may observe the following behavior after installing April 2026 or later updates for Windows 11:

What new behavior should I expect?
Users and IT administrators might observe the following behavior after installing the update:

Backup applications that rely on the kernel driver psmounterex.sys might fail to mount backup image files as virtual drives.

Attempting to browse or restore from a backup image might result in errors or timeouts.

Failures might be followed by error messages, such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or VSS_E_BAD_STATE.

Event Viewer might show Code Integrity errors indicating that psmounterex.sys was blocked from loading.

Backup creation (full image backups) may still succeed, but image-mount operations will fail.

Microsoft claims that the change is “designed to protect devices against known vulnerabilities in the psmounterex.sys kernel driver. That is exactly the driver that some backup apps, including Macrium Reflect, use for managing and mounting disk images.

The vulnerability that Microsoft mentions was discovered in certain versions of the driver in late 2023 already. If exploited, bad actors can use this flaw to escalate their privileges and execute arbitrary malicious code at the kernel level, completely compromising the system.

The result for users who run backup apps that rely on the driver: When a user tries to mount a backup image, the backup app attempts to load the psmounterex.sys driver. Windows Code Integrity enforcement steps in and actively blocks the driver from loading because it’s on the blacklist. Without the driver, the backup app cannot complete its task, leading to Volume Shadow Copy Service (VSS) timeouts and mounting errors.

In short, Microsoft is deliberately breaking the functionality of these apps to stop a known security loophole from being exploited at the kernel level.

You can now ask Gemini to create Microsoft Office documents directly

Posted on by Martin Brinkmann

Google added a useful new feature to its Gemini AI recently: the ability to create Microsoft Office documents directly using prompts.

While Gemini could create tables and such already, you had to copy the information manually up until now into a Microsoft Office file, if Microsoft Office is your Office suite of choice.

This changes with the most recent update. Now, you can ask Gemini to create Microsoft Office documents directly and the process could not be simpler.

Just add “export the table to Excel format” or “export the text to Word format” to your prompt to do so. Gemini will then show an attachment at the top that is in the right format and contains the information that you requested.

For instance, I used the following prompt to get Gemini to compare the classic Steam Controller to the new gamepad that Valve plans to release in a few days:

Compare the old and new Steam Controller. Create a table. Export that table to Excel format

Gemini displayed the Excel spreadsheet at the top and below that it listed the information that I requested.

All you need to do is click on the attached file to display it right away. This opens options to print it or save it to the local system.

Interestingly enough, the information that Gemini presents to you directly may be different from the information that you requested to be put into the Office document. I guess you can use the instructions to make them identical though, which would be useful to make sure that the Office document has the right information.

Firefox

Firefox 150.0.1 is out with a Facebook fix and security patches

Posted on by Martin Brinkmann

Mozilla released point updates for its open source Firefox web browser yesterday evening. The updates are available for all three supported stable versions of the browser:

  • Firefox 150.0.1
  • Firefox 140.10.1 ESR
  • Firefox 115.35.1 ESR

However, only the main stable release, Firefox 150.0.1 is getting bug fixes and security patches. The two extended support release versions do get the security fixes only.

Here are the fixed security issues:

  • CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component
  • CVE-2026-7322: Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1
  • CVE-2026-7323: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1
  • CVE-2026-7324: Memory safety bugs fixed in Firefox 150.0.1

The changes in Firefox 150.0.1

Mozilla lists five non-security fixes and a change in the official release notes:

  • Fixed issues accessing Facebook and other unnamed websites on systems with Bitdefender security software installed.
  • Fixed an issue where a geolocation permission prompt would be shown again on a second attempt.
  • Fixed an issue that prevented tabs to be added to older saved tab groups.
  • Fixed a drop-down menu display issue that had them show all list items at once.
  • Fixed a zooming issue on macOS and Windows that caused some borders and outlines on some page elements to disappear.

The change affects Firefox indirectly only. Mozilla increased the email masks limit of its Relay service to 50 for free users. The previous limit was five.

The new versions are available already. Most non-managed systems should get the updates automatically, but you can speed up the installation by selecting Menu > Help > About Firefox.

About Brave Browser’s Shred Button on Android

Posted on by Martin Brinkmann

Back in late 2024, Brave introduced a Shred button for its mobile browser on iOS. Now, that same function is finally coming to Android as part of the Brave 1.89 release.

What does Shred do? Shred is a privacy feature that deletes site data that could be used to identify users across visits.

The main idea is to visit a site and, before you leave, hit the shred button to remove potentially identifiable information. It is designed to remove stored data from a single website.

Brave describes it in a new post on its website:

Shred lets you instantly erase any data a site stores on your device. Shred on Android offers the same easy and site-specific data erasure as Shred on iOS. This means you can instantly wipe one website’s stored data without being forcibly logged out of all websites, eliminating the need for complex site-by-site exceptions. This sets Shred apart from similar features in other privacy-focused browsers.

But the manual option is not the only one available. You can also set up shred to automatically delete data on specific websites. Have a site that you visit frequently but want to know as little as possible about you and your activity? The Auto Shred may be the option for you then.

Brave highlights that Shred has other applications, other than protecting against tracking. For instance, it may help with visits to sites that limit access to content artificially for a period, like three free articles per week or month.

Here is how you use the new Shred feature:

  • Open the main menu of the browser and pick Shred site data.
  • Open the tab switcher and tap on the Shred icon.
  • Open the Shields icon and select the Shred option.

To configure auto-shredding, do the following:

  1. Open the Shields icon on the site that you want to configure Auto Shred for.
  2. Select Advanced Controls > Shred site’s data.
  3. Tap on Auto Shred and set it to “site tab closed” or “app close”.

Brave will then shred the site automatically when you close it or when you close the browser.

Last but not least, you can also configure the behavior for all sites.

  1. Open the Settings.
  2. Go to Brave Shields & privacy.
  3. Tap on Auto Shred.

There you get the same two options (tab close or app close).