If April 2026 was an avalanche of patches, May brings a welcome breather from zero-days but keeps the critical severity count high.
Microsoft’s fifth Patch Tuesday of 2026 has arrived, addressing 120 vulnerabilities in total. While it breaks a long-standing streak by featuring zero publicly disclosed or actively exploited zero-day flaws, the sheer volume of severe remote code execution (RCE) bugs demands attention.
The update contains 17 critical flaws affecting a wide range of enterprise products, including Windows Netlogon, DNS Client, Azure DevOps, and Microsoft Word.
Here is the breakdown of what you need to know, what to patch first, and what might break.
You can download an Excel spreadsheet with information about the patches that Microsoft released:
The May 2026 Patch Day overview
Executive Summary
- Release Date: May 12, 2026
- Total Vulnerabilities: 120
- Critical Vulnerabilities: 17
- Zero-Days: 0
Key Action Item: Administrators must prioritize patching network-exposed infrastructure, specifically domain controllers affected by the Netlogon vulnerability (CVE-2026-41089) and systems running the Windows DNS Client. Simultaneously, Microsoft Office installations need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities that can be triggered simply via the Windows Preview Pane.
Important Patches
- CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability
- CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability
- CVE-2026-42826 — Azure DevOps Information Disclosure Vulnerability
- CVE-2026-40364 — Microsoft Office Word Remote Code Execution Vulnerability
- CVE-2026-40402 — Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2026-32185 — Microsoft Teams Spoofing Vulnerability
Cumulative Updates
| Product, Version | Links | Notes |
| Windows 11 & Windows 10 | KB5087544 (Windows 10) KB5089549 (Windows 11) | Security updates addressing OS-level RCEs in Netlogon, DNS Client, and Windows Graphics components (Win32k). Also resolves various Elevation of Privilege flaws across the Windows Kernel. |
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that it patched zero 0-day vulnerabilities this Patch Day, but addressed a heavy enterprise focus of critical remote code execution and information disclosure flaws.
Here is the critical overview:
CVE-2026-41089 (Windows Netlogon Remote Code Execution Vulnerability)
A critical stack-based buffer overflow flaw (CVSS 9.8) affecting Windows Netlogon. A remote, unauthenticated attacker could exploit this by sending a crafted network request to a Windows server running as a domain controller. If successful, this causes the Netlogon service to improperly handle the request, allowing the attacker to execute malicious code without requiring any prior access or credentials.
CVE-2026-41096 (Windows DNS Client Remote Code Execution Vulnerability)
This critical heap-based buffer overflow vulnerability (CVSS 9.8) affects the Windows DNS service. It allows remote code execution over the network and can be exploited by sending a malicious DNS response, triggering memory corruption within the Windows DNS client. Depending on the configuration, an unauthenticated attacker can achieve full RCE.
CVE-2026-42826 (Azure DevOps Information Disclosure Vulnerability)
This is the highest-rated flaw this month, boasting a perfect CVSS score of 10.0. While Microsoft withheld specific exploitation details, a perfect severity score indicates that unauthenticated attackers could potentially access highly sensitive enterprise data, credentials, and source code stored or handled in Azure DevOps.
CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367 (Microsoft Word RCE Vulnerabilities)
A cluster of critical vulnerabilities in Microsoft Word (CVSS 8.4) that allow an unauthorized attacker to execute code locally. Notably, these flaws can be triggered through the Windows Preview Pane, meaning a user only needs to preview a specially crafted document to be compromised, without ever fully opening the file.
CVE-2026-40402 (Windows Hyper-V Elevation of Privilege Vulnerability)
A severe flaw (CVSS 9.3) allowing for a guest-to-host escape in Windows Hyper-V. By targeting certain hardware device registers, an attacker operating from within a guest virtual machine can escape the isolated environment and gain SYSTEM privileges on the underlying host system.
First Steps: Your Patch Tuesday Strategy
- Prioritize Domain Controllers (Netlogon) and DNS Client services
- Address high-risk Azure deployments (DevOps, Cloud Shell)
- Update Office installations immediately to mitigate Preview Pane risks