Microsoft shipped its May 2026 Patch Tuesday on the 12th with fixes for roughly 120 vulnerabilities. Counting advisories for adjacent products, the figure rises to 137 CVEs. Of that total, 17 are rated critical.
What sets this release apart isn’t the volume, which sits in the usual range, but what’s missing: no zero-days. It’s the first Patch Tuesday without a vulnerability that was exploited or publicly disclosed before the patch since June 2024. Almost two straight years with at least one active flaw every month turned that gap into news.
What’s in the batch
Most of the 17 critical issues are remote code execution flaws. Among the ones worth watching are several Microsoft Word vulnerabilities that can be triggered through the Preview Pane in File Explorer and Outlook, meaning the malicious file only needs to render without being fully opened. Microsoft tagged some of them as “Exploitation More Likely,” its label for flaws that stand a good chance of being weaponized.
There’s also a GDI subsystem RCE that fires when you open a crafted Enhanced Metafile (EMF) in Microsoft Paint, plus one in the Windows DNS client that an attacker-controlled server could abuse by sending a specially crafted DNS response. In the worst cases neither requires prior authentication, which pushes their priority up.
For server environments, this same release includes a fix for a stack buffer overflow in the Netlogon service affecting domain controllers. There was no sign of exploitation at launch, but the picture changed a few weeks later.
Why you shouldn’t relax despite the missing zero-days
“No zero-days” describes the snapshot on patch day, not what happens afterward. The Netlogon flaw fixed here (CVE-2026-41089) became actively exploited against domain controllers on May 29, as confirmed by Belgium’s Centre for Cybersecurity. A patch that looked routine on May 12 turned urgent within days.
This is the normal pattern with monthly releases: attackers diff the patched binary against the previous one to reconstruct the flaw and build an exploit. The longer you leave updates unapplied, the more room they have. The absence of zero-days at launch is a breather, not an invitation to delay.
What to do
Apply the May updates as soon as you can on workstations and servers. If you run domain controllers, prioritize Netlogon: SYSTEM-level access and full Active Directory takeover are on the table. On user machines, the Word and GDI flaws are mitigated by the patch, but remind staff not to open attachments from dubious sources, since the Preview Pane can act as a vector even without opening the document.
If you manage fleets with WSUS, Intune or similar tooling, check that your deployment rings aren’t leaving critical machines out. And review the full list in Microsoft’s update portal, because some components (Office, SharePoint) ship through channels separate from Windows Update.
For more on one of the worst flaws in this same release, see the Office Preview Pane RCE and, in the monthly series, the March 2026 Patch Tuesday.