Microsoft's May 2026 Patch Tuesday has arrived with security fixes for 120 vulnerabilities spanning Windows, Microsoft Edge, Office, Azure services, and the broader Microsoft ecosystem. Notably, this release contains no zero-day vulnerabilities — a rare occurrence in 2026, which has seen a steady drumbeat of actively exploited flaws in previous monthly updates.
Security teams should prioritize the critical and important remote code execution (RCE) and elevation of privilege (EoP) fixes, which represent the highest-risk categories in this month's release.
Patch Tuesday by the Numbers
| Category | Count |
|---|---|
| Total Vulnerabilities | 120 |
| Critical | ~11 |
| Important | ~107 |
| Moderate/Low | ~2 |
| Zero-Days (Actively Exploited) | 0 |
| Zero-Days (Publicly Disclosed) | 0 |
This is one of the first Patch Tuesday releases in 2026 without at least one actively exploited vulnerability. Previous months in 2026 featured zero-days in Windows, Defender, and core OS components, making May's clean slate a welcome development for security operations teams.
Why No Zero-Days Is Still Significant
A month without zero-days does not mean the update can be deprioritized. Vulnerability exploitation timelines have compressed dramatically in 2026 — threat actors routinely reverse-engineer patches and develop working exploits within 24-72 hours of a Patch Tuesday release. The absence of zero-days in the disclosure does not mean exploitation won't begin shortly after patches are available.
CISA has continued to urge organizations to treat Patch Tuesday releases with urgency, regardless of zero-day status.
Key Vulnerability Categories
Remote Code Execution (RCE)
RCE vulnerabilities remain the highest-priority category. An attacker who successfully exploits an RCE flaw can execute arbitrary code on a target system, often leading to full system compromise. This month's release addresses RCE vulnerabilities across multiple Windows components and services.
Organizations should prioritize patching any RCE-classified vulnerabilities affecting:
- Windows components with network-facing attack surfaces (highest priority — no user interaction required)
- Microsoft Office applications (typically require user to open malicious document, but widely exploited via phishing)
- Web-facing services and APIs (Azure, web server roles)
Elevation of Privilege (EoP)
EoP vulnerabilities are frequently chained with initial access exploits. An attacker who gains a low-privileged foothold on a system can use an EoP flaw to escalate to SYSTEM or Administrator level, unlocking full control of the machine. EoP flaws in Windows kernel, driver, and service components are particularly valuable to ransomware operators and APT groups.
Security Feature Bypass
Security feature bypass vulnerabilities undermine defenses like Windows Defender, SmartScreen, or User Account Control (UAC). While these do not enable standalone compromise, they are routinely chained with other flaws to neutralize detection and execution controls.
Spoofing Vulnerabilities
Spoofing flaws may allow attackers to impersonate legitimate services, forge certificates, or manipulate identity validation mechanisms. In enterprise environments with heavy reliance on Windows authentication infrastructure, spoofing vulnerabilities carry significant risk.
Affected Products
This month's update touches a broad range of Microsoft products and components:
| Product Area | Risk Level |
|---|---|
| Windows 11 (all supported versions) | Critical/Important |
| Windows 10 (all supported versions) | Critical/Important |
| Windows Server 2019/2022/2025 | Critical/Important |
| Microsoft Edge (Chromium-based) | Important |
| Microsoft Office (Word, Excel, Outlook) | Important |
| Microsoft Azure services | Important |
| .NET and Visual Studio | Important |
| Windows Remote Desktop Services | Important |
| Microsoft SharePoint Server | Important |
| Hyper-V | Important |
Applying May 2026 Updates
Windows Update (End Users and Workstations)
# Force check for and download available updates
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -Install -AcceptAll -AutoRebootOr navigate to: Settings → Windows Update → Check for Updates
Windows Server Update Services (WSUS)
# Approve and deploy May 2026 updates in WSUS
# Run on WSUS server
$wsus = Get-WsusServer
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
$updates = $wsus.GetUpdates($updateScope)
$updates | Where-Object { $_.CreationDate -gt (Get-Date "2026-05-12") } | ForEach-Object {
$_.Approve([Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install, $wsus.GetComputerTargetGroups()[0])
}Microsoft Endpoint Configuration Manager (MECM/SCCM)
- Navigate to Software Library → Software Updates → All Software Updates
- Filter by Date Released: May 13, 2026
- Review and create a Software Update Group for May 2026
- Deploy to target collections with appropriate maintenance window scheduling
Verifying Patch Status
# Check installed Windows updates
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-05-12") } | Sort-Object InstalledOn -Descending
# Check pending reboot status
$pending = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue
if ($pending) { Write-Host "REBOOT REQUIRED" -ForegroundColor Red } else { Write-Host "No reboot pending" -ForegroundColor Green }Prioritization Guidance for Security Teams
Given the volume of patches in this release, teams should triage by the following criteria:
| Priority | Criteria | Action |
|---|---|---|
| P1 — Emergency (24h) | Critical RCE, network-accessible, no auth required | Emergency change window |
| P2 — Urgent (72h) | Critical RCE with auth or user interaction required | Priority patching cycle |
| P3 — High (7 days) | Important EoP and security feature bypass | Standard patching cycle |
| P4 — Standard (30 days) | Important information disclosure and spoofing | Monthly patching cycle |
For environments with strict change management processes, the absence of zero-days in this release provides slightly more flexibility on timeline compared to months with actively exploited vulnerabilities — but the 24-72 hour exploit development window should still drive urgency for critical-severity items.
Context: 2026 Patch Tuesday Recap
May's clean slate contrasts sharply with the zero-day-heavy environment of early 2026:
| Month | Zero-Days (Exploited) | Total Fixes |
|---|---|---|
| January 2026 | 3 | 159 |
| February 2026 | 6 | 67 |
| March 2026 | 4 | 57 |
| April 2026 | 1 | 168 |
| May 2026 | 0 | 120 |
The April 2026 update was Microsoft's second-largest monthly batch on record, covering 168 vulnerabilities including a SharePoint zero-day. May's 120-flaw release with no zero-days represents a more normalized patch cycle.