Microsoft May 2026 Patch Tuesday: ​
April 2026's Microsoft Security Updates

Release Date: Tuesday, May 12, 2026
Release Time: 10:00 AM PST / 1:00 PM EST / 6:00 PM UTC
Status: Released
Last Updated: May 12, 2026

Executive Summary

Microsoft has released its May 2026 Patch Tuesday security updates, addressing 118 CVEs across Windows, Office, Azure, and server products. This release marks a significant milestone: for the first time since June 2024, Microsoft has shipped a monthly security update with zero actively exploited or publicly disclosed zero-day vulnerabilities. While this represents positive progress, the release still includes 16 critical-severity vulnerabilities requiring immediate attention, and organizations have only 45 days remaining until the critical June 26, 2026 Secure Boot certificate expiration deadline.

Key Highlights:

• 118 total CVEs addressed (16 Critical, 102 Important severity)
• Zero actively exploited zero-days (first clean release since June 2024)
• Continued deployment of updated Secure Boot certificates (critical for June 26 deadline)
• Multiple critical RCE vulnerabilities in Microsoft Word requiring immediate attention
• Elevation of Privilege vulnerabilities dominate at 48.3% of total patches
• Third-party updates from Adobe, Google Chrome, Mozilla, Oracle, and others

Critical Priority Actions:

• Deploy May patches immediately following testing protocols
• Verify Secure Boot certificate installation on all Windows devices
• Complete OEM firmware updates from Dell, HP, Lenovo, and other manufacturers
• Validate certificate deployment status before June 26 expiration
• Test Office applications thoroughly due to multiple critical RCE vulnerabilities

The absence of actively exploited zero-days provides a welcome reprieve, but organizations must use this window to accelerate patch deployment and complete Secure Boot certificate validation before the June 26 deadline.

May 2026 Patch Tuesday: Release Overview

Vulnerability Distribution by Severity

Microsoft's May release addresses 118 unique CVEs (excluding AMD CPU vulnerability CVE-2025-54518, which was issued by AMD). The severity distribution breaks down as follows:

• Critical Severity: 16 CVEs (13.6%)
• Important Severity: 102 CVEs (86.4%)
• Moderate Severity: 0 CVEs
• Low Severity: 0 CVEs

The concentration of critical vulnerabilities, though smaller in percentage than recent months, still requires urgent attention due to the potential for remote code execution and system compromise.

Vulnerability Distribution by Impact Type

Elevation of Privilege vulnerabilities continue to dominate Microsoft's security landscape, accounting for nearly half of all patched issues:

• Elevation of Privilege (EoP): 57 CVEs (48.3%)
• Remote Code Execution (RCE): 29 CVEs (24.6%)
• Information Disclosure: 15 CVEs (12.7%)
• Security Feature Bypass: 9 CVEs (7.6%)
• Denial of Service (DoS): 5 CVEs (4.2%)
• Spoofing: 3 CVEs (2.5%)

The high proportion of EoP vulnerabilities reflects Microsoft's continued focus on addressing privilege escalation issues in Windows kernel and system components, which are frequently chained with other exploits in sophisticated attack campaigns.

Zero-Day Status: First Clean Release in 11 Months

May 2026 marks a significant milestone: this is the first Patch Tuesday since June 2024 without any actively exploited or publicly disclosed zero-day vulnerabilities. To understand the significance of this achievement, consider the Q1 2026 zero-day context:

• January 2026: 3 actively exploited zero-days
• February 2026: 6 actively exploited zero-days (unprecedented)
• March 2026: 2 publicly disclosed zero-days
• April 2026: Zero-day status data still emerging
• May 2026: Zero actively exploited or publicly disclosed zero-days

While the absence of zero-days is positive news, organizations should not interpret this as a reduction in overall threat level. The 16 critical-severity vulnerabilities, particularly those assessed as "Exploitation More Likely" by Microsoft's Exploitability Index, still pose significant risk and require rapid deployment.

Critical Vulnerabilities Requiring Immediate Attention

CVE-2026-41103: Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege

CVSS Score: 9.1 (Critical)
Exploitability Assessment: Exploitation More Likely
Attack Vector: Network
Privileges Required: None
User Interaction: Required

CVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single Sign-On Plugin for Jira and Confluence. The vulnerability exists in the authentication process, where an attacker can send a specially crafted response message during login to bypass Microsoft Entra ID authentication and sign in using a forged identity.

Technical Details:

The vulnerability stems from improper validation of authentication responses during the SSO process. An attacker positioned to intercept or manipulate authentication traffic can craft a malicious response that the plugin accepts as legitimate, effectively bypassing the intended authentication mechanism. This allows the attacker to impersonate any user without possessing valid credentials.

Impact:

Successful exploitation allows an attacker to:

• Sign in to Jira or Confluence without Microsoft Entra ID authentication
• Access data with permissions of the impersonated user
• Modify content within the scope of the targeted user's permissions
• Establish persistent access by creating or modifying authentication artifacts

The accessible information is limited by the permissions defined for the authorized user on the target servers, but in environments where users have broad access, the potential for data exposure and modification is significant.

Exploitation Scenario:

1. Attacker intercepts or positions themselves to view SSO authentication traffic
2. User initiates legitimate authentication to Jira or Confluence via Microsoft SSO
3. Attacker intercepts authentication response
4. Attacker modifies response to include forged identity claims
5. Plugin accepts forged response and grants access
6. Attacker gains access with impersonated user's privileges

Remediation Priority: Immediate (Critical priority for organizations using Microsoft SSO Plugin with Jira or Confluence)

CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367: Microsoft Word RCE Vulnerabilities

CVSS Score: 8.4 (Critical) for all four CVEs
Exploitability Assessment: CVE-2026-40361 and CVE-2026-40364 assessed as "Exploitation More Likely"
Attack Vector: Local (requires user interaction)
Privileges Required: None
User Interaction: Required

Microsoft addressed four critical remote code execution vulnerabilities in Microsoft Word that can be exploited through malicious document files. All four vulnerabilities are exploitable through the Preview Pane, meaning users do not need to open files for successful attacks.

Technical Details:

These vulnerabilities stem from improper handling of specially crafted Word documents. When a malicious file is processed (either opened or previewed), memory corruption occurs that allows an attacker to execute arbitrary code with the privileges of the current user. The Preview Pane attack vector is particularly concerning because it enables zero-click exploitation (users don't need to explicitly open files, merely selecting or previewing them triggers the vulnerability).

Impact:

Successful exploitation allows an attacker to:

• Execute arbitrary code on the victim's system
• Install malware or backdoors
• Access sensitive documents and data
• Move laterally within the network if the compromised system has network access
• Establish persistence mechanisms

Exploitation Scenario:

1. Attacker crafts malicious Word document exploiting one or more of these vulnerabilities
2. Attacker delivers document via email, shared network drive, or SharePoint
3. Victim receives file and either:
   • Previews file in Windows Explorer (Preview Pane enabled)
   • Selects file in Outlook attachment pane
   • Opens file in Microsoft Word
4. Memory corruption occurs during document processing
5. Attacker's code executes with victim's privileges

Remediation Priority: Critical (Office Preview Pane vulnerabilities require immediate attention due to zero-click exploitation potential)

Mitigation if Patching Delayed:

• Disable Preview Pane in Windows Explorer and Outlook
• Configure Outlook to block automatic download of attachments
• Enable Protected View for files from internet and potentially unsafe locations
• Train users to exercise extreme caution with unexpected Word documents

CVE-2026-41089: Windows Netlogon Remote Code Execution

CVSS Score: 9.8 (Critical)
Exploitability Assessment: Exploitation Less Likely
Attack Vector: Network
Privileges Required: None
User Interaction: None

CVE-2026-41089 is a remote code execution vulnerability in Windows Netlogon, the Windows Server process responsible for authentication within Active Directory domains. Despite its critical severity and near-perfect CVSS score, Microsoft has assessed exploitation as "Less Likely."

Technical Details:

The vulnerability exists in how Netlogon processes network requests sent to Windows Servers functioning as domain controllers. An unauthenticated, remote attacker can send a specially crafted network packet that exploits a stack-based buffer overflow vulnerability in the Netlogon service. Successful exploitation allows the attacker to execute arbitrary code on the domain controller with SYSTEM-level privileges.

Impact:

Successful exploitation of a domain controller allows an attacker to:

• Gain complete control of the Active Directory domain
• Access all domain credentials and authentication data
• Modify domain policies and security configurations
• Deploy malware across all domain-joined systems
• Establish persistent, domain-wide backdoors
• Access all resources within the domain

The potential for complete domain compromise makes this vulnerability extremely dangerous, even though Microsoft assesses exploitation as "Less Likely." The assessment may reflect the complexity of exploitation or specific environmental requirements, but the potential impact justifies treating this as a highest-priority patch.

Exploitation Scenario:

1. Attacker identifies domain controllers on network (typically via port scanning or reconnaissance)
2. Attacker crafts malicious Netlogon request exploiting buffer overflow
3. Attacker sends crafted request to domain controller
4. Buffer overflow occurs in Netlogon service
5. Attacker's code executes with SYSTEM privileges on domain controller
6. Attacker leverages domain controller access for complete domain takeover

Remediation Priority: Critical (Domain controllers must be patched immediately despite "Less Likely" exploitation assessment)

CVE-2026-33841, CVE-2026-35420, CVE-2026-40369: Windows Kernel EoP Vulnerabilities

CVSS Score: 7.8 (High) for all three CVEs
Exploitability Assessment: CVE-2026-33841 and CVE-2026-40369 assessed as "Exploitation More Likely"
Attack Vector: Local
Privileges Required: Low
User Interaction: None

May's release includes three elevation of privilege vulnerabilities affecting the Windows Kernel. These issues allow local attackers with low privileges to escalate to SYSTEM or Medium/High integrity levels, enabling them to bypass security controls and gain administrative access.

Technical Details:

Windows Kernel EoP vulnerabilities typically stem from improper handling of system calls, memory management issues, or insufficient validation of user-supplied data passed to kernel-mode components. Attackers with initial low-privileged access (such as a standard user account or compromised application) can exploit these flaws to execute code with elevated privileges.

Year-to-Date Windows Kernel EoP Context:

Including these three May vulnerabilities, Microsoft has addressed 13 Windows Kernel EoP vulnerabilities so far in 2026. This pattern demonstrates ongoing security challenges in the Windows kernel and highlights why these components remain high-priority targets for attackers.

Impact:

Successful exploitation allows an attacker to:

• Elevate from standard user to SYSTEM privileges
• Bypass User Account Control (UAC)
• Disable security software
• Install malware or rootkits
• Access sensitive system resources
• Establish persistent access mechanisms

Exploitation Scenario:

1. Attacker gains initial access to system (via phishing, malware, or compromised application)
2. Attacker runs with low-privileged user account
3. Attacker executes exploit code targeting kernel vulnerability
4. Kernel processes malicious request with elevated privileges
5. Attacker's code executes with SYSTEM privileges
6. Attacker disables security controls and establishes persistence

Remediation Priority: High (These vulnerabilities are frequently chained with other exploits in sophisticated attack campaigns)

Affected Products and Components

May 2026 patches affect a comprehensive range of Microsoft products and services:

Operating Systems

• Windows 11: Versions 25H2, 24H2, 23H2, 22H2, 21H2
• Windows 10: Versions 22H2 (ESU required), 21H2 (ESU required), Version 1607
• Windows Server: 2025, 2022, 2019, 2016

Windows 10 ESU Reminder: Windows 10 reached end-of-life on October 14, 2025. Organizations still running Windows 10 must maintain active Extended Security Update (ESU) enrollment to receive May patches. Windows 10 Enterprise 2016 LTSB receives extended support until October 13, 2026.

Productivity and Collaboration

• Microsoft Office 2021, 2019, 2016
• Microsoft 365 Apps for Enterprise
• Microsoft Office Excel
• Microsoft Office Word
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Teams
• OneDrive for Business
• Dynamics 365 (on-premises)
• Dynamics Business Central
• Dynamics 365 Customer Insights

Cloud and Azure Services

• Azure AI Foundry M365 Published Agents
• Azure Cloud Shell
• Azure Connected Machine Agent
• Azure DevOps
• Azure Entra ID
• Azure Logic Apps
• Azure Machine Learning
• Azure Managed Instance for Apache Cassandra
• Azure Monitor Agent
• Azure Notification Service
• Azure SDK

Development Tools and Platforms

• .NET Framework 4.8, 4.7.2, 4.6.2
• .NET 10.0, 9.0
• ASP.NET Core
• Visual Studio 2022, 2019
• Visual Studio Code
• GitHub Copilot and Visual Studio integration
• Microsoft Data Formulator

Server and Infrastructure

• SQL Server 2022, 2019, 2017
• Microsoft Windows DNS
• Windows Hyper-V
• Windows Message Queuing
• Windows Print Spooler Components
• Windows SMB Client
• Windows TCP/IP
• Windows Storage Spaces Controller

AI and Copilot Products

• M365 Copilot
• M365 Copilot for Desktop
• Copilot Chat (Microsoft Edge)
• GitHub Copilot

Browser and Edge Technologies

• Microsoft Edge (Chromium-based)
• Microsoft Edge for Android
• MSHTML Framework (legacy IE components)

System Components

• Windows Kernel and Kernel-Mode Drivers
• Windows Ancillary Function Driver for WinSock
• Windows Application Identity (AppID) Subsystem
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows DWM Core Library
• Windows Event Logging Service
• Windows Filtering Platform (WFP)
• Windows GDI
• Windows Internet Key Exchange (IKE) Protocol
• Windows LDAP (Lightweight Directory Access Protocol)
• Windows Link-Layer Discovery Protocol (LLDP)
• Windows Native WiFi Miniport Driver
• Windows Netlogon
• Windows Projected File System
• Windows Remote Desktop
• Windows Rich Text Edit Control
• Windows Secure Boot
• Windows Storport Miniport Driver
• Windows Telephony Service
• Windows Volume Manager Extension Driver
• Windows Win32K (GRFX and ICOMP)

Additional Components

• Data Deduplication
• Telnet Client
• Windows Admin Center
• Microsoft Partner Center
• Microsoft SSO Plugin for Jira & Confluence
• Power Automate

Secure Boot Certificate Deployment: 45 Days Until Deadline

Critical Timeline Update

May 12, 2026: 45 days remaining until June 26 Secure Boot certificate expiration
June 9, 2026: Final Patch Tuesday before expiration (17 days remaining)
June 26, 2026: Certificate expiration (ABSOLUTE DEADLINE)

May's Patch Tuesday continues the critical deployment of updated Secure Boot certificates (2023 certificates) required before the June 26, 2026 expiration of original 2011 certificates. With only 45 days remaining, this is the final comfortable deployment window for enterprise-scale infrastructure.

Immediate Validation Required

After installing May updates, immediately verify Secure Boot certificate deployment:

PowerShell Validation Method:

# Check Secure Boot state
Confirm-SecureBootUEFI

# Check certificate status (requires administrator privileges)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State" -Name UEFICA2023Status

Expected Result: UEFICA2023Status should return "updated" indicating successful certificate deployment.

Alternative Validation: Use Windows Security app in Windows 11/10:

1. Open Windows Security
2. Navigate to Device Security
3. Check Secure Boot status indicator
4. Green badge indicates certificates updated and Secure Boot functional
5. Yellow or red badge indicates action required

Consequences of Non-Compliance After June 26

Devices without updated 2023 Secure Boot certificates will experience:

Immediate Effects (June 27, 2026 onwards):

• Systems continue to boot and operate normally
• Standard Windows updates continue to install
• Loss of boot-level security protections

Security Degradation:

• No security fixes for Windows Boot Manager
• No updates to Secure Boot databases or revocation lists
• No mitigations for newly discovered boot-level vulnerabilities
• Vulnerable to bootkit malware like BlackLotus (CVE-2023-24932)
• Cannot trust third-party software signed with new certificates

Long-term Consequences:

• Increasing vulnerability as new boot-chain exploits are discovered
• Potential boot failures after future security updates
• Compliance violations in regulated industries (HIPAA, PCI-DSS, SOX)
• BitLocker hardening compromised
• Windows Defender System Guard degraded

OEM Firmware Update Requirements

Many devices require manufacturer BIOS/UEFI updates to receive 2023 certificates:

• Dell: Dell Support (Dell Command Update)
• HP: HP Support (HP Image Assistant or HP Support Assistant)
• Lenovo: Lenovo Support (Lenovo System Update or Lenovo Vantage)
• ASUS: ASUS Support (MyASUS or manual BIOS update)
• Microsoft Surface: Windows Update automatically delivers firmware updates

Organizations must coordinate OEM firmware updates alongside Windows Update deployment to ensure complete certificate coverage before June 26.

Third-Party Security Updates Coordinating with May Patch Tuesday

Adobe Security Updates

Adobe released security patches addressing multiple vulnerabilities:

Adobe Acrobat Reader:

• CVE-2026-34621: CVSS 8.6 (High severity, actively exploited in the wild)
• CVE-2026-34622: CVSS 8.6 (High severity)

Both vulnerabilities affect how Adobe Acrobat Reader processes crafted PDF files, potentially allowing attackers to execute unauthorized actions or compromise user systems through malicious documents. The active exploitation of CVE-2026-34621 makes this an urgent update for organizations where PDF files are routinely opened from external or untrusted sources.

Google Chrome Critical and High-Severity Updates

Google released two major Chrome updates addressing over 148 vulnerabilities:

Critical Severity:

• CVE-2026-7908: CVSS 9.6
• CVE-2026-6296: CVSS 9.6

High Severity (Active Exploitation):

• CVE-2026-5281: CVSS 8.8 (actively exploited in the wild)

Additional High Severity (Selected):

• CVE-2026-7896, CVE-2026-7898, CVE-2026-7899: CVSS 8.8
• CVE-2026-7901, CVE-2026-7902, CVE-2026-7903: CVSS 8.8
• CVE-2026-6299 through CVE-2026-6318: CVSS 8.8

The presence of an actively exploited vulnerability (CVE-2026-5281) in Chrome's Dawn component makes this update critical. Microsoft Edge Chromium typically receives these fixes within 3-7 days of Chrome's release.

Mozilla Firefox v150

Mozilla addressed 271 vulnerabilities in Firefox v150, including several high-severity memory corruption and use-after-free bugs:

High Severity:

• CVE-2026-6746, CVE-2026-6747: CVSS 7.5
• CVE-2026-6751, CVE-2026-6752, CVE-2026-6753: CVSS 7.3
• CVE-2026-6754: CVSS 7.5
• CVE-2026-6785: CVSS 8.1

While no active exploitation has been confirmed, browser vulnerabilities present significant risk due to constant exposure to untrusted web content. Organizations should prioritize browser updates alongside Windows and Office patches.

Oracle Critical Patch Update

Oracle's quarterly Critical Patch Update typically addresses:

• Java SE critical security fixes
• Oracle Database vulnerabilities
• Enterprise application patches (E-Business Suite, PeopleSoft)
• Middleware security updates (WebLogic, Fusion Middleware)

Organizations running Oracle products should coordinate deployment with Microsoft patches to maintain comprehensive security posture.

SAP Security Patch Day

SAP's May Security Patch Day addresses critical vulnerabilities:

SAP Business Planning and Consolidation:

• CVE-2026-27681: CVSS 9.9 (Critical severity)

This critical vulnerability affects SAP Business Planning and Consolidation and SAP Business Warehouse, allowing attackers to execute arbitrary code. Given the role of these platforms in financial planning and business operations, exploitation could lead to widespread disruption and data compromise.

Deployment Strategy and Best Practices

Phased Deployment Timeline for May 2026

Week 1 (May 12-18): Assessment and Pilot Deployment

May 12-13 (Days 0-1):

• Security team reviews all 118 CVEs in the release
• Download patches to WSUS/SCCM/Intune infrastructure
• Verify BitLocker recovery keys are accessible
• Alert stakeholders of upcoming deployment schedule
• Deploy to pilot groups (100-500 systems across diverse configurations)

May 14-16 (Days 2-4):

• Monitor pilot systems for stability, performance, application compatibility
• Track community issue reports (Reddit r/sysadmin, Spiceworks, Microsoft forums)
• Verify Secure Boot certificate deployment in pilot systems
• Document any compatibility problems
• Expand pilot to additional test groups if no critical issues

May 17-18 (Days 5-6):

• Final pilot validation
• Determine if any patches should be held pending Microsoft resolution
• Notify stakeholders of production deployment schedule

Week 2 (May 19-25): Phase 1 Production Deployment

• Deploy to Tier 3 systems (least critical infrastructure)
• Continuous monitoring for issues
• Daily compliance scans
• Verify Secure Boot certificate deployment across Tier 3

Week 3 (May 26-June 1): Phase 2 Production Deployment

• Deploy to Tier 2 systems (important but not mission-critical)
• Intensive monitoring for business application compatibility
• Address any emerging issues
• Verify certificate deployment compliance

Week 4 (June 2-8): Phase 3 Production Deployment

• Deploy to Tier 1 systems (mission-critical infrastructure)
• 24/7 monitoring during deployment
• Immediate escalation procedures for critical issues
• Final Secure Boot certificate validation

Testing Checklist

Before production deployment, validate:

System Functionality:

• [ ] Windows boots successfully
• [ ] Secure Boot remains enabled
• [ ] BitLocker encryption maintained
• [ ] No BitLocker recovery prompts on boot
• [ ] Network connectivity functional
• [ ] Remote Desktop Services accessible
• [ ] Print services operational
• [ ] File sharing functional

Application Compatibility:

• [ ] Line-of-business applications launch and function
• [ ] Microsoft Office applications operational (critical due to Word RCE vulnerabilities)
• [ ] Database connectivity (SQL Server, Oracle) functional
• [ ] Web applications accessible
• [ ] VPN connectivity working
• [ ] Custom applications tested
• [ ] Third-party security software compatible

Security Validation:

• [ ] UEFICA2023Status shows "updated"
• [ ] Secure Boot enabled in UEFI firmware
• [ ] Windows Security app shows green Secure Boot badge
• [ ] No Event ID 1795 errors in Event Viewer
• [ ] Antivirus/EDR operational
• [ ] Firewall rules intact

Performance Verification:

• [ ] Boot times within acceptable range
• [ ] Application launch times normal
• [ ] Network throughput satisfactory
• [ ] No unusual CPU/memory consumption
• [ ] Event logs clean (no critical errors)

Organization-Specific Deployment Guidance

Small and Medium Businesses (SMBs):

• Deploy within first week (May 12-19)
• Enable automatic updates for consumer-grade devices
• Focus manual testing on business-critical applications
• Verify Secure Boot compliance using PowerShell commands
• Leverage managed service providers if internal resources constrained

Enterprise Organizations:

• Multi-phase deployment across pilot, pre-production, production tiers
• Executive-level reporting on Secure Boot certificate compliance
• Advanced telemetry and monitoring for patch success rates
• Coordination with application owners for compatibility testing
• 24/7 support coverage during deployment periods

Healthcare, Finance, and Critical Infrastructure:

• Extended testing windows (5-7 days) before production
• Regulatory compliance coordination (HIPAA, PCI-DSS, SOX)
• Virtual patching or network segmentation for systems requiring extended testing
• 24/7 SOC coordination with enhanced monitoring
• Business continuity planning with redundant systems

Known Issues and Compatibility Concerns

March 2026 Quality Issues: Lessons Applied

March 2026 experienced significant update quality problems that inform May deployment strategies:

• KB5079391 pulled within 24 hours due to widespread Error 0x80073712 installation failures
• Multiple out-of-band updates needed to fix previous patch issues
• Outlook compatibility problems with Teams Meeting add-in
• Microsoft account sign-in disruptions requiring emergency fixes

May Deployment Recommendations Based on March Experience

1. Extended Testing Periods: Allow 3-5 days for pilot testing before production deployment
2. Broader Test Coverage: Include diverse system configurations and third-party applications
3. Rollback Readiness: Ensure BitLocker recovery keys available and recovery procedures tested
4. Phased Deployment: Start with non-critical systems before deploying to production infrastructure
5. Community Monitoring: Track IT community forums for emerging issues before widespread deployment

Deprecated Features

Support and Recovery Assistant (SaRA) Removed:

Microsoft deprecated SaRA from all currently supported operating systems with March 2026 updates. Organizations using SaRA for Microsoft Office, Microsoft 365, or Outlook troubleshooting should transition to "Get Help," available in both full UI and PowerShell/command-line versions.

Resources and Guidance

Microsoft Official Resources

• Security Update Guide: https://msrc.microsoft.com/update-guide
• May 2026 Release Notes: https://msrc.microsoft.com/update-guide/releaseNote/2026-May
• Secure Boot Certificate Updates: https://aka.ms/GetSecureBoot
• Secure Boot Playbook: Microsoft Tech Community
• Windows Update Catalog: https://www.catalog.update.microsoft.com

Zecurit Resources

• Patch Management: What is Patch Management
• Windows Endpoint Management: Complete Guide
• Vulnerability Scanning: Vulnerability Scanning Overview
• BitLocker Management: BitLocker Management Guide
• Endpoint Management: What is Endpoint Management

Vulnerability Intelligence and Analysis

• Tenable Analysis: Microsoft's May 2026 Patch Tuesday Addresses 118 CVEs
• CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• National Vulnerability Database: https://nvd.nist.gov

Community Resources

• Patch Tuesday Support Group: Patch My PC Events
• Windows IT Pro Blog: Microsoft Tech Community
• Reddit r/sysadmin: Community discussion and issue tracking

Conclusion and Recommendations

May 2026 Patch Tuesday delivers a welcome reprieve from the relentless zero-day activity that characterized Q1 2026, but organizations cannot afford complacency. With 16 critical-severity vulnerabilities requiring immediate attention and only 45 days remaining until the Secure Boot certificate expiration deadline, this release demands aggressive deployment and comprehensive validation.

Critical Action Items:

1. Deploy May Patches Immediately (Following enhanced testing protocols from March lessons)
2. Prioritize Office Applications (Four critical Word RCE vulnerabilities with Preview Pane attack vectors)
3. Verify Secure Boot Certificates (Validate UEFICA2023Status shows "updated" on all devices)
4. Coordinate OEM Firmware Updates (Many devices require manufacturer BIOS/UEFI updates)
5. Complete Domain Controller Patching (CVE-2026-41089 Netlogon RCE despite "Less Likely" assessment)

The Bottom Line:

The absence of actively exploited zero-days provides a critical window for organizations to catch up on deployment and complete Secure Boot certificate validation. However, 16 critical-severity vulnerabilities still require immediate attention, and the June 26 Secure Boot deadline approaches rapidly. Organizations that treat May as routine risk both immediate compromise from the critical vulnerabilities and long-term security degradation when certificates expire.

Time Remaining: 45 Days Until Secure Boot Certificate Expiration

Begin deployment immediately. Verify certificate status across entire infrastructure. Complete OEM firmware updates this month. The June 26 deadline is absolute and non-negotiable.

For automated patch deployment and comprehensive endpoint management, explore Zecurit Endpoint Manager with integrated patch management, vulnerability scanning, and compliance reporting.