Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from major security news organizations.
Microsoft’s May 2026 Patch Tuesday addresses 120 vulnerabilities with no actively exploited or publicly disclosed zero-days โ the first such Patch Tuesday since June 2024, a stretch of nearly two years. Tenable, ZDI, and Qualys all confirm the status. Inside the Critical-severity bucket are three remote code execution flaws at CVSS 9.8 or higher โ Netlogon, Windows DNS Client, and Microsoft Dynamics 365 โ that belong at the top of the deployment queue regardless. In the background, the Secure Boot certificate deadline is 45 days away.
A Quiet Month, Not an Empty One
Zero Day Initiative’s Dustin Childs confirmed that “none of the bugs patched by Microsoft this month are listed as publicly known or under active attack.” The absence of active exploitation breaks a 23-month streak โ the last all-clear Patch Tuesday was June 2024 โ and gives administrators a rare window to patch without an in-the-wild clock ticking on a specific CVE.
The respite is narrow, though. Three of this month’s Critical RCEs are unauthenticated and network-reachable, and Childs called the Netlogon and DNS Client fixes the priority patches of the month regardless of the absence of exploitation reports.
The CVSS 9.8+ Network RCEs
CVE-2026-41089 โ Windows Netlogon Remote Code Execution (CVSS 9.8). Stack-based buffer overflow enabling unauthenticated remote code execution against domain controllers. ZDI flags this as wormable, and Childs observed that “a compromised domain controller is a compromised domain.” No credentials or user interaction are required. Domain controllers go to the front of the queue.
CVE-2026-41096 โ Windows DNS Client Remote Code Execution (CVSS 9.8). Heap-based buffer overflow triggered by malicious DNS responses. Affects virtually every Windows machine. Exploitation requires either a man-in-the-middle position on DNS traffic or a rogue DNS server, but the attack surface is enormous and includes any workstation or laptop that takes a DNS response from an untrusted network.
CVE-2026-42898 โ Microsoft Dynamics 365 Remote Code Execution (CVSS 9.9). Code injection allowing an authenticated user to execute code outside their normal scope. The CVE is flagged as a rare scope-change vulnerability, which makes blast-radius testing important before deployment.
A fourth RCE, CVE-2026-40415 in TCP/IP, is also wormable per ZDI, but exploitation requires sustained low-memory conditions, making weaponization difficult. Patch it on schedule; the immediate priority is the three above.
The Category Breakdown
| Category | Count |
|---|---|
| Elevation of Privilege | 61 |
| Remote Code Execution | 31 |
| Information Disclosure | 14 |
| Spoofing | 13 |
| Denial of Service | 8 |
| Security Feature Bypass | 6 |
The EoP-to-RCE ratio looks similar to April โ privilege escalation continues to dominate Microsoft’s monthly bulletins as the post-compromise ladder of choice. Two Windows Kernel EoPs (CVE-2026-33841 and CVE-2026-40369) carry the “Exploitation More Likely” tag.
CVE totals vary by methodology โ BleepingComputer and Cybersecurity News count 120, Tenable counts 118 after excluding one AMD CPU CVE, while ZDI and Qualys count 137โ138 by including peripheral Microsoft product fixes. The 120 figure is the Security Update Guide’s in-scope core count.
The Secure Boot Deadline, 45 Days Out
The June 26, 2026 Secure Boot certificate expiration that the April post made the centerpiece is unchanged on schedule. Microsoft’s original 2011 certificates expire that day; devices that have not received the 2023 replacement certificates lose Secure Boot protection, and some will fail to boot.
The Secure Boot status indicator that Microsoft added to the Windows Security app under Device security in April is now joined by administrator-targeted notifications in this month’s update, and Defender for Endpoint surfaces certificate readiness as a posture finding. For at-scale verification across an enterprise fleet, Microsoft’s Secure Boot certificate update playbook walks through the documented procedures.
The devices that fall through the gaps are typically the ones with no Windows Update connectivity for an extended window โ disconnected industrial systems, field hardware, air-gapped lab machines.
Office Preview Pane Continues
The Word RCEs that started in March and continued in April are back this month: CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367 all enable code execution via Microsoft Word, with the first two flagged “Exploitation More Likely.” Several are Preview-Pane-triggerable, meaning a user receiving an Outlook message with a hostile attachment does not need to open it for exploitation to fire. Apply the Office updates with the same urgency as the OS cumulative.
CVE-2026-35421 in Windows GDI is a heap-based buffer overflow exploitable via malicious Enhanced Metafile files in Microsoft Paint and other GDI-consuming applications โ a reminder that EMF parsing has been a 30-year vulnerability surface.
What Landed on My Desktop
Four updates shipped to a Windows 11 Enterprise LTSC 24H2 client at the first scan after release:
| KB | Title | Reported Size |
|---|---|---|
| KB5089549 | 2026-05 Security Update (26100.8457) | 92,489.6 MB |
| KB5093447 | 2026-05 .NET 8.0.27 Security Update for x64 Client | 240.7 MB |
| KB5087054 | 2026-05 .NET Framework Security Update | 147.1 MB |
| KB890830 | Windows Malicious Software Removal Tool v5.141 | 83.0 MB |
KB5089549 brings the client to build 26100.8457.
The actual install timing from a scripted Windows Update Agent run:
2026-05-12 14:01:28 Scan start 2026-05-12 14:01:50 4 updates found 2026-05-12 14:01:50 Download start 2026-05-12 14:07:06 Download complete (5m 16s) 2026-05-12 14:07:06 Install start 2026-05-12 14:29:00 Install complete (21m 54s) 2026-05-12 14:29:30 Reboot
Total wall-clock time from scan to reboot was about 28 minutes โ roughly the same envelope as April’s release. The 92,489.6 MB figure for KB5089549 is again the MaxDownloadSize artifact of the Windows Update Agent API; last month’s post walks through why the API exposes both MaxDownloadSize and MinDownloadSize, and why the 92 GB number does not reflect actual disk consumption. The real install is a small fraction of that.
Recommendations
Priority order for this month:
- CVE-2026-41089 (Netlogon RCE, CVSS 9.8) โ unauthenticated, wormable. Domain controllers first.
- CVE-2026-41096 (DNS Client RCE, CVSS 9.8) โ virtually every Windows endpoint. Stage broadly.
- CVE-2026-42898 (Dynamics 365 RCE, CVSS 9.9) โ test the scope-change behavior before rollout.
- CVE-2026-40361 / 40364 (Word RCE, “Exploitation More Likely”) โ push the Office updates in parallel with the OS cumulative.
- CVE-2026-33841 / 40369 (Kernel EoP, “Exploitation More Likely”) โ covered by the OS cumulative.
- CVE-2026-35421 (GDI heap overflow) โ covered by the OS cumulative; no separate action.
- Secure Boot readiness โ verify the Windows UEFI CA 2023 certificate is present on every device. 45 days remaining.
A quiet zero-day month is the most welcome thing about May, but the three CVSS 9.8+ RCEs deserve the same urgency as if one of them was already being exploited. Treat the absence of in-the-wild reports as a head start, not a reprieve.
Sources
- BleepingComputer - Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
- Tenable - Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
- Zero Day Initiative - The May 2026 Security Update Review
- Qualys - Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review
- Microsoft Support - May 12, 2026โKB5089549 (OS Builds 26200.8457 and 26100.8457)
- Microsoft Tech Community - Secure Boot playbook for certificates expiring in 2026
- BleepingComputer - Windows 11 KB5089549 & KB5087420 cumulative updates released
- Direct Business Technologies - May 2026 Microsoft Patch Tuesday
- Cybersecurity News - Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed, Including 29 Critical RCE Flaws