Microsoft’s May 2026 Patch Tuesday fixes 120 flaws with no zero-days reported

Microsoft’s May 2026 Patch Tuesday update fixes 120 security flaws across Windows, Office, SharePoint, Dynamics 365, SQL Server, Azure tools, Visual Studio Code, and Microsoft 365 services.

The update does not include any vulnerabilities listed as publicly disclosed or actively exploited at release time. That makes it a calmer month than several recent Patch Tuesday cycles, but the update still includes serious bugs that enterprises should patch quickly.

The most important detail is the remote code execution risk. Microsoft fixed 31 RCE vulnerabilities this month, including 14 rated Critical. Several of them affect widely used enterprise components, including Windows DNS Client, Windows Netlogon, Microsoft Office, Microsoft Word, Microsoft SharePoint Server, and Dynamics 365 on-premises.

May 2026 Patch Tuesday at a glance

Category	Details
Total flaws fixed	120
Critical vulnerabilities	17
Remote code execution flaws	31
Critical RCE flaws	14
Zero-days	None disclosed or actively exploited at release
Main products affected	Windows, Office, SharePoint Server, Dynamics 365, SQL Server, Visual Studio Code, Azure services, and Microsoft 365 components

Why this update still matters

A Patch Tuesday release without zero-days can look less urgent at first. This month’s update still deserves attention because several flaws sit in sensitive areas of enterprise networks.

Windows DNS Client and Windows Netlogon stand out because they deal with name resolution and authentication. Bugs in these areas can become high-priority targets if attackers find reliable exploit paths.

Office and Word flaws also raise concern because users handle documents every day. A malicious file or preview-based attack can create risk in environments where employees regularly receive attachments from outside the organization.

Key vulnerability categories

Vulnerability type	Count
Elevation of privilege	61
Security feature bypass	6
Remote code execution	31
Information disclosure	14
Denial of service	8
Spoofing	13

DNS and Netlogon flaws need quick attention

One of the most serious issues is CVE-2026-41096, a Windows DNS Client remote code execution vulnerability. Microsoft’s advisory says a crafted DNS response could make the DNS Client process data incorrectly and corrupt memory.

CVE-2026-41089 is another major enterprise concern. The Windows Netlogon flaw affects domain controller scenarios and could allow remote code execution over a network without prior access in affected configurations.

These two flaws matter because they involve systems that help Windows networks function. Security teams should prioritize domain controllers, DNS-reliant systems, and high-value Windows servers during patch deployment.

Office, Word, and SharePoint remain major targets

Microsoft also fixed multiple Office, Word, and Excel vulnerabilities that could lead to remote code execution. These issues matter because attackers often use documents as an entry point into corporate environments.

Several Word vulnerabilities received Critical ratings. The risk increases in workplaces where users preview or open files from email, shared drives, collaboration platforms, or external senders.

SharePoint Server also received remote code execution fixes. Organizations that run SharePoint on-premises should treat these patches as urgent because exposed collaboration servers can attract fast attacker interest after public patch details appear.

Windows 11 and Windows 10 updates are also rolling out

For Windows 11, Microsoft released KB5089549 for versions 25H2 and 24H2. The update moves those systems to OS builds 26200.8457 and 26100.8457 and includes the latest security fixes plus improvements from the previous optional preview update.

For Windows 10, Microsoft released KB5087544 for supported and ESU-covered systems. Windows 10 version 22H2 moves to build 19045.7291, while version 21H2 LTSC moves to build 19044.7291.

Windows 10 users should also remember that regular support ended for many editions. Devices still running Windows 10 need valid Extended Security Updates coverage or a supported servicing path to keep receiving monthly security fixes.

AI also shaped this Patch Tuesday release

Microsoft says 16 vulnerabilities in the May 2026 release were found through its new multi-model AI security system, code-named MDASH. The system helped researchers find issues across the Windows networking and authentication stack.

The company says MDASH uses more than 100 specialized AI agents to scan, debate, validate, and prove security findings. Microsoft framed this as part of a broader shift toward AI-assisted vulnerability discovery at scale.

This matters for defenders because Patch Tuesday volumes may keep growing. AI can help vendors find more bugs, but it also increases the pressure on IT teams to triage, test, and deploy fixes faster.

What admins should patch first

• Patch domain controllers and systems exposed to Netlogon risk.
• Prioritize Windows systems that rely heavily on DNS resolution.
• Update Office, Word, and Excel on systems that receive external documents.
• Patch SharePoint Server installations, especially internet-facing or partner-facing deployments.
• Review Dynamics 365 on-premises systems and apply vendor guidance quickly.
• Test and deploy Windows 11 KB5089549 and Windows 10 KB5087544 according to your normal rollout process.
• Check Secure Boot certificate readiness across managed Windows devices.

What users should do now

Home users should install the latest Windows updates through Settings as soon as they become available. Keeping Microsoft 365 apps updated also matters because several document-related bugs were fixed this month.

Business users should follow company patching rules and avoid opening unexpected attachments until their devices receive the latest Office and Windows updates.

Admins should not treat the lack of zero-days as a reason to delay. This release contains enough network, document, and server-side risk to justify a normal high-priority patch cycle.

FAQ