# Microsoft Patch Tuesday May 2026: what to patch first > May 2026 ships 137 CVEs and no zero-days. Domain controllers go first for Netlogon and DNS Client RCEs, both CVSS 9.8 and unauthenticated. Source: https://fmcybersecurity.com/en/insights/exposure/microsoft-patch-tuesday-may-2026/ Locale: English Other locale: https://fmcybersecurity.com/insights/exposure/microsoft-patch-tuesday-mai-2026/ ## Metadata - Date: 2026-05-13 - Author: fredrik-standahl - Topic: exposure - Format: news **TL;DR:** May 2026 is the first Microsoft monthly rollup since June 2024 with no zero-day exploited in the wild and no public pre-disclosure. 137 CVEs in core products, 17 Critical, 14 of them remote code execution. Two unauthenticated, network-reachable CVSS 9.8 RCEs (Netlogon CVE-2026-41089 and DNS Client CVE-2026-41096) put domain controllers and DNS servers at the front of the queue. A CVSS 9.9 Dynamics 365 on-premises RCE (CVE-2026-42898) goes in the same ring for any internet-reachable tenant. A Microsoft Word use-after-free that triggers from the Outlook preview pane forces the Office cumulative onto every mailbox-touching device this week. May's update is also the last comfortable deployment window before the original 2011 Secure Boot certificates expire on June 26. Last reviewed 2026-05-18 by fredrik-standahl ## What Microsoft shipped Microsoft published 137 CVE fixes on May 12, 2026, with 133 Chromium-based Edge CVEs counted separately. 17 are rated Critical and 14 of those are remote code execution. No Exchange Server update shipped this month, covering every currently supported version including the Extended Security Update program. For the first time in nearly two years, the Microsoft Security Response Center assesses none of these vulnerabilities as exploited in the wild or publicly disclosed before patch day. The pace this month is patch-it-on-schedule, not patch-it-tonight. That does not mean coast. The list is large, several of the Criticals are network-reachable without credentials, and the calendar is working against defenders on a separate track because of Secure Boot. ## What changes in practice Two CVSS 9.8 RCEs sit on the unauthenticated, network-reachable tier. CVE-2026-41089 is a stack-based buffer overflow in the Netlogon Remote Protocol. Successful exploitation yields code execution as the Netlogon service, which runs as SYSTEM on a domain controller, from a single crafted packet aimed at the RPC endpoint. CVE-2026-41096 is a heap-based buffer overflow in the Windows DNS Client with the same exploitation profile and a broader install base, because every Windows host runs the client. Both affect Windows Server 2022 and Windows Server 2025 in supported configurations. Domain controllers and internet-facing DNS servers get patched first. Member servers and clients fall in the next ring. CVE-2026-42898 is a CVSS 9.9 code injection in on-premises Microsoft Dynamics 365. Any authenticated user can trigger it, no admin rights, no user interaction required. The CVE carries scope change, which means impact does not stay inside the Dynamics process. Customer data and integrated back-office systems are reachable from there. If your on-prem Dynamics is internet-exposed, or accessible to suppliers and contractors with low-trust accounts, this patch goes in the same window as the domain controller patches, not later in the month. Two Microsoft Word use-after-free bugs deserve early attention because the Outlook preview pane is enough to trigger them. Microsoft rates the lead Word flaw "Exploitation More Likely." Users do not need to open the attachment. Outlook does it for them when it renders the preview. Push the Office and Microsoft 365 Apps cumulative to every device that processes external email this week, not next. Then there is Secure Boot. The 2011 KEK and DB certificates used by most Windows devices built between 2012 and 2025 expire on June 26, 2026. May's Windows Update is the last comfortable deployment window for the 2023 replacement certificates. Devices that miss the rollover keep running, but they enter a degraded security state that blocks future boot-level protections and OS upgrades that require the new chain of trust. Inventory the fleet now for devices that have not received the rollover from earlier rings, in particular older hardware where OEM firmware updates have stalled. ## What we recommend Patch domain controllers and DNS servers today. Push the Office and Microsoft 365 Apps cumulative to mailbox-touching endpoints in the same window. Treat internet-reachable on-premises Dynamics 365 with the same urgency as the domain controller updates. Confirm Secure Boot certificate rollover status across the fleet before June 26, and escalate any device where the 2023 certificates have not landed because OEM firmware updates are stalled. If you run CrowdStrike Falcon and have not enabled Falcon Exposure Management to surface unpatched device counts by CVE on this month's release, this is the month to turn it on. Talk to Fredrik if you want our read on prioritization for your stack. --- *Drafted with AI assistance, reviewed and edited by Fredrik Standahl and the FM editorial team.* ## Sources - Microsoft Security Response Center, "A note on this month's Patch Tuesday" (May 12, 2026) - Microsoft Security Update Guide, msrc.microsoft.com/update-guide - Microsoft Windows IT Pro Blog, "Act now: Secure Boot certificates expire in June 2026" - Tenable, "May 2026 Microsoft Patch Tuesday addresses 118 CVEs" - CrowdStrike, "May 2026 Patch Tuesday: Updates and Analysis" - Cisco Talos Intelligence, "Microsoft Patch Tuesday for May 2026, Snort rules and prominent vulnerabilities" - BleepingComputer, "Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days" - The Hacker News, "Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws" - Krebs on Security, "Patch Tuesday, May 2026 Edition" - Help Net Security, "Microsoft May 2026 Patch Tuesday, many fixes, but no zero-days" --- For the full documentation index, see https://fmcybersecurity.com/llms.txt For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt