May 2026 Patch Tuesday: 139 Fixes, No Zero-Days, but Critical RCEs Demand Immediate Action

Overview

Microsoft’s May 2026 Patch Tuesday delivers a substantial security update package, comprising 139 patches that span Windows, Office, .NET, and SQL Server. While no zero-day vulnerabilities were addressed this month, the sheer volume and severity of fixes—including multiple remote code execution (RCE) flaws—warrant an urgent deployment schedule. Security teams should treat this release with the same priority as a zero-day outbreak, especially for internet-facing services and domain controllers.

May 2026 Patch Tuesday: 139 Fixes, No Zero-Days, but Critical RCEs Demand Immediate Action
Source: www.computerworld.com

Critical Vulnerabilities and Urgent Patches

Network-Level RCEs: Netlogon, DNS, and SSO Plugin

Three unauthenticated network RCEs stand out: one in Netlogon, another in the DNS Client, and a third affecting the SSO Plugin for Jira and Confluence. These vulnerabilities allow an attacker to execute arbitrary code without authentication, making them prime targets for wormable attacks. Organizations should prioritize patching domain controllers, DNS servers, and any systems using the SSO plugin.

Word Preview Pane RCEs

Four critical RCEs in Microsoft Word’s Preview Pane (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) pose a significant threat because no user interaction beyond viewing a malicious document in Outlook or File Explorer is required. All four carry a CVSS score of 8.4, with the first two flagged as “Exploitation More Likely” by Microsoft. The Readiness team recommends accelerating deployment to Office endpoints, and enabling Protected View as a temporary workaround.

TCP/IP Vulnerability Cluster and BitLocker Carry-Over

A large cluster of TCP/IP protocol vulnerabilities further increases the attack surface. Additionally, the BitLocker recovery condition from April remains active on Windows 10 and Windows Server, potentially forcing systems into recovery mode at boot. This issue persists even after applying the May updates unless specific Group Policy settings are adjusted (see Known Issues).

Known Issues and Resolved Problems

BitLocker Recovery Condition (Windows 10/Server)

Windows 10 (version 22H2) and Windows Server systems configured with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy remain exposed if they have an invalid PCR7 profile. This can trigger a BitLocker recovery screen on reboot. Microsoft has acknowledged the issue but expects administrators to manually validate PCR7 settings.

Graphics Driver Downgrade via Windows Update

Windows Update has been replacing manually installed graphics drivers with older OEM versions, causing unwanted downgrades. Microsoft attributes this to a ranking mechanism based on four-part Hardware IDs rather than version numbers. IT teams managing display drivers should temporarily disable automatic driver updates until a permanent fix is released.

May 2026 Patch Tuesday: 139 Fixes, No Zero-Days, but Critical RCEs Demand Immediate Action
Source: www.computerworld.com

Resolved Issues in KB5089549

For Windows 11 (versions 25H2 and 24H2), KB5089549 resolves the April PCR7/BitLocker recovery condition and improves Boot Manager servicing to prevent future recovery triggers. The update also introduces a new C:\Windows\SecureBoot folder containing automation scripts to help IT roll out the Windows UEFI CA 2023 key replacement (CVE-2023-24932), ahead of the 2011 certificate expirations scheduled between June and October 2026.

Additional Updates and Mitigations

Secure Boot Certificate Transition

The Secure Boot certificate distribution update adds automation scripts to streamline the migration from the 2011 UEFI CA certificates to the new 2023 keys. This is a proactive measure to maintain Secure Boot integrity as older certificates expire later this year.

SSDP Reliability Improvement

The Simple Service Discovery Protocol (SSDP) notification reliability has been improved to prevent service unresponsiveness under sustained load. This fix is particularly relevant for networks using UPnP device discovery.

Conclusion: Patch Now

Despite the absence of zero-days, the May 2026 Patch Tuesday release contains critical vulnerabilities that could be exploited without user interaction. The combination of network-level RCEs, Word Preview Pane flaws, and the unresolved BitLocker issue demands an accelerated testing and deployment schedule. Start with internet-facing services, domain controllers, and Office endpoints. For detailed deployment risk assessments, refer to the May 2026 Assurance Security Dashboard. Don’t wait—patch now.

Tags:

Recommended

Discover More

How Chili's CEO Turned Around the Chain: A Step-by-Step Guide to Their Comeback StrategyJeff Atwood Reflects on Loss, Gratitude, and the Critical Role of Community in AISecuring Google Gemini CLI: Understanding and Mitigating the RCE VulnerabilityEverything You Need to Know About the Microsoft 365 Deal: AI, Storage, and MoreHow to Navigate the Petroleum System's Volatile Decline Phase