May 2026 Patch Tuesday dropped yesterday with 120 fixes and — for the first time since June 2024 — zero actively exploited vulnerabilities. No zero-days. No emergency patches. No “update immediately or you’re compromised” headlines.
That’s nearly two years without a clean Patch Tuesday. Enjoy it. Then go patch.
Because 120 fixes with 17 Critical-rated vulnerabilities and 31 remote code execution flaws is not a light month. The absence of a zero-day changes the urgency, not the workload.
What’s in this month’s release
The headline numbers:
- 120 vulnerabilities fixed in total
- 17 Critical — 14 of which are remote code execution
- 31 RCE flaws across the release
- 61 elevation of privilege bugs
- 14 information disclosure issues
- 8 denial of service flaws
- 6 security feature bypasses
- 13 spoofing vulnerabilities
The EoP count is the one worth paying attention to. 61 privilege escalation bugs in a single month is high. These are the flaws attackers chain together after initial access — they get in through one vulnerability, escalate through another. Two Windows Kernel EoPs (CVE-2026-33841 and CVE-2026-40369) are specifically flagged as “Exploitation More Likely” by Microsoft.
The vulnerabilities that matter most
Windows DNS Client — CVE-2026-41096 (Critical)
This is the one to patch first on domain-joined systems.
An attacker sends a malicious DNS response from an attacker-controlled DNS server. The Windows DNS client mishandles it, triggering a heap-based buffer overflow. Result: remote code execution with no authentication required.
No user interaction needed. No credentials. Just a crafted DNS packet hitting a vulnerable client. This affects any Windows system making DNS queries — which is every Windows system.
Patch domain controllers and DNS-dependent systems first.
Windows Netlogon — CVE-2026-41089 (Critical)
Similar story. Attacker sends a specially crafted network request to a domain controller. Netlogon misprocesses it. Remote code execution on the DC — again, unauthenticated.
This one affects Windows Server 2012 through Windows Server 2025, specifically targeting domain controllers. If you have internet-facing DCs (you shouldn’t, but here we are), this is a fire drill.
Microsoft Dynamics 365 On-Premises — CVE-2026-42898 (Critical, CVSS 9.9)
Highest CVSS score this month. Code injection in Dynamics 365 on-premises allows an authenticated user to execute code outside their normal scope. The “scope change” rating means a successful exploit can affect components beyond the vulnerable application itself.
If you’re running Dynamics 365 on-prem in an enterprise environment, this is your second priority after the DNS/Netlogon fixes.
Microsoft Office, Word, and Excel — Multiple CVEs
Word gets four Critical RCE flaws this month. The attack vector: malicious documents. The aggravating factor: several of these trigger through the preview pane, meaning a user doesn’t even need to open the file. Just previewing it in Explorer or Outlook is enough.
In environments where staff regularly receive external attachments — finance teams, HR, procurement — this is a meaningful risk. Office updates should be part of your standard ring this month, not deferred.
Relevant CVEs: CVE-2026-42831, CVE-2026-40363, CVE-2026-40358.
Windows GDI — CVE-2026-35421
Opening a malicious Enhanced Metafile (EMF) in Microsoft Paint triggers remote code execution. Yes, Paint. It’s still a vector.
This is a lower-probability exploit chain than the DNS or Office flaws, but EMF files can be embedded in documents and web pages. Worth patching as part of your normal rollout.
SharePoint Server — CVE-2026-40365
Remote code execution in SharePoint requiring Site Owner privileges. Authenticated attacker, network-based exploit. Lower risk than the unauthenticated flaws above, but SharePoint environments holding sensitive internal data warrant attention. A SharePoint RCE was actively exploited last month — defenders are already looking at this product family closely.
Hyper-V — CVE-2026-40402 (Critical)
Guest VM to host escape. An attacker operating from inside a guest VM can read arbitrary host kernel memory addresses. In most scenarios this causes a denial of service (Hyper-V host crash), but under specific hardware conditions it’s exploitable for a full guest-to-host escape with SYSTEM privileges.
If you’re running multi-tenant or production Hyper-V environments, this cannot be a follow-up item. Patch the hosts.
Visual Studio Code — CVE-2026-41613 through CVE-2026-41609
VS Code gets a cluster of fixes this month covering RCE, elevation of privilege, information disclosure, and security feature bypass. Developer workstations are increasingly high-value targets because they sit close to source code, deployment pipelines, and production credentials.
Don’t leave VS Code updates until the end of your patching cycle.
The Secure Boot deadline — 45 days out
Separate from this month’s patches but worth flagging: the Secure Boot certificate expiry is 45 days away. If you haven’t already worked through your device inventory and validated Secure Boot compliance, that clock is running.
We covered this in detail in our Secure Boot 2026 certificate expiry guide. Now is the time to act on it if you haven’t.
Patching strategy for May
No zero-day means you have a little more breathing room than usual. Use it sensibly.
Patch immediately:
- Windows DNS Client (CVE-2026-41096) — unauthenticated RCE, domain-wide impact
- Netlogon (CVE-2026-41089) — unauthenticated RCE on domain controllers
- Dynamics 365 on-premises (CVE-2026-42898) — CVSS 9.9, scope change
Patch this week:
- Microsoft Office, Word, Excel — preview pane RCE exposure
- Hyper-V (CVE-2026-40402) — guest-to-host escape on production hosts
- SharePoint Server — authenticated RCE
Patch in your standard ring:
- Windows GDI, VS Code, Win32k, TCP/IP, and remaining Critical/Important fixes
For Intune-managed estates, push the cumulative updates as Required through your update rings. If you have pilot → broad → deferred rings configured, validate in pilot this week and push broad by end of next week.
Windows Update links
Bottom line
120 fixes, no zero-days, first clean Patch Tuesday in nearly two years. The absence of active exploitation gives you a window — use it to prioritise properly rather than scrambling to react.
The DNS client and Netlogon unauthenticated RCEs are the ones that would turn ugly fastest if weaponised. Get those out to domain controllers and domain-joined systems first.
Everything else follows your normal process.