Microsoft's Quietest Patch Tuesday in Two Years
Microsoft's May 2026 Patch Tuesday has landed with 137 security fixes — but what's notable isn't what was patched, it's what wasn't: for the first time in approximately two years, Microsoft released a Patch Tuesday with zero actively exploited zero-day vulnerabilities.
The milestone offers a rare reprieve for system administrators who have faced a relentless stream of zero-days in virtually every monthly update cycle throughout 2025 and into 2026. While 137 vulnerabilities is still a substantial patch load, the absence of weaponized flaws removes the immediate crisis response pressure from security teams.
By the Numbers
| Category | Count |
|---|---|
| Total CVEs | 137 |
| Critical | 9 |
| Important | 126 |
| Moderate | 2 |
| Zero-Days (Exploited) | 0 |
| Zero-Days (Disclosed) | 0 |
Critical Vulnerabilities Highlight
Despite no zero-days, nine critical vulnerabilities demand prioritized attention. The most significant include:
Windows DNS Server Remote Code Execution
Multiple critical RCE vulnerabilities affect the Windows DNS Server component, which is particularly concerning for organizations running Active Directory infrastructure. A successful exploit could allow an unauthenticated attacker to execute arbitrary code in the context of the DNS service. Any organization with internet-accessible DNS infrastructure or exposed internal DNS servers should prioritize these patches.
Netlogon Remote Code Execution
A critical flaw in the Netlogon protocol — the same protocol that was at the center of the infamous Zerologon vulnerability in 2020 — has been addressed. While Microsoft has not disclosed technical details, RCE in Netlogon carries significant risk for domain-joined environments and Active Directory forests.
Windows Remote Desktop Services
Several critical RCE vulnerabilities in Remote Desktop Services affect multiple Windows Server versions. RDS flaws are perennial targets due to the widespread exposure of RDP across enterprise networks. Organizations should verify RDS patching and ensure RDP is not directly exposed to the internet.
Microsoft Office and SharePoint
Multiple critical vulnerabilities in Office products and SharePoint round out the critical tier. Shared document environments and collaboration platforms continue to be high-value attack surfaces for initial access.
Notable Important-Severity Patches
Among the 126 "Important" rated patches, several stand out:
- Windows Kerberos: Authentication protocol fixes that could prevent privilege escalation
- Azure Active Directory: Identity provider vulnerabilities with potential for token manipulation
- Windows Hyper-V: Hypervisor escape vulnerabilities in virtualization environments
- Microsoft Edge (Chromium): Browser security updates tracking upstream Chromium patches
- Visual Studio: Development environment vulnerabilities targeting developer machines
What "No Zero-Days" Actually Means
It's important to temper the celebration with context. "No zero-days" in a Patch Tuesday release means:
- No publicly known exploits at time of release — vulnerabilities may still become weaponized post-patch
- No confirmed in-the-wild exploitation as of the release date
- Proof-of-concept code may still be developed and released by researchers within days
History shows that critical patches — particularly those for RCE vulnerabilities — often attract exploitation attempts within 24-72 hours of public disclosure. The race between patching organizations and threat actors begins the moment these CVEs are published.
Patch Prioritization Guidance
Given the absence of zero-days, organizations have slightly more time to follow structured patch deployment processes rather than emergency response procedures. Recommended prioritization:
Immediate (within 24-48 hours):
- DNS Server RCE patches for internet-exposed or critical infrastructure DNS
- Netlogon RCE for all domain controllers
- RDS patches for any externally accessible Remote Desktop infrastructure
High Priority (within 1 week):
- SharePoint and Office vulnerabilities in environments with sensitive data
- Hyper-V patches in virtualization infrastructure
- Azure AD identity patches
Standard Deployment (within 2-4 weeks):
- Remaining Important-rated vulnerabilities following normal change management processes
The Broader Trend
The zero-day drought — if it holds — would represent a welcome shift. Microsoft tracked 90 zero-days exploited in 2025 according to Google's Project Zero analysis, with many appearing in Microsoft's own product stack. The concentration of zero-day activity in late 2025 and early 2026 put unprecedented pressure on enterprise patch management teams.
Whether May 2026's clean slate represents a structural shift in attacker behavior or simply a quiet month in an otherwise active threat landscape remains to be seen. June's Patch Tuesday will be telling.
Source: Dark Reading, May 12-13, 2026