Microsoft's May 2026 Patch Tuesday brings fixes for 138 security vulnerabilities, including 30 rated Critical — with none currently listed as publicly known or under active attack. Among the most significant entries in this release are remote code execution (RCE) vulnerabilities in Windows DNS Server and the Netlogon protocol, both of which represent high-priority targets for enterprise security teams due to their position in core Windows infrastructure.
Patch Tuesday by the Numbers
| Severity | Count |
|---|---|
| Critical | 30 |
| Important | 104 |
| Moderate | 3 |
| Low | 1 |
| Total | 138 |
| Zero-Days (Actively Exploited) | 0 |
| Zero-Days (Publicly Disclosed) | 0 |
While the absence of zero-days provides a slight reprieve for security operations teams, the 138-vulnerability scope — and the inclusion of 30 Critical-rated issues — demands urgent attention. Patch Tuesday releases without zero-days still generate exploit development activity within 24-72 hours of release.
Critical Highlights: DNS and Netlogon RCE
Windows DNS Server RCE
A remote code execution vulnerability in the Windows DNS Server component is among the most notable fixes in this release. DNS Server RCE vulnerabilities are particularly dangerous in enterprise environments because:
- DNS servers are ubiquitous — present in virtually every Windows Active Directory environment
- DNS Server typically runs with SYSTEM-level privileges on domain controllers
- DNS infrastructure is network-exposed by design — clients across the enterprise reach out to DNS servers constantly
- Exploitation can cascade: compromising a domain controller's DNS service can facilitate broader AD compromise
Organizations running Windows DNS in their AD infrastructure should prioritize this fix. DNS server RCE vulnerabilities have historically been exploited both by nation-state actors and ransomware operators targeting Active Directory environments.
Netlogon RCE
The Netlogon protocol is the authentication backbone of Windows domain environments, handling machine-to-domain authentication, pass-through authentication, and replication. An RCE vulnerability in Netlogon carries exceptional risk because:
- Netlogon operates at the domain controller level
- The protocol is involved in authentication for every domain-joined machine
- Historical Netlogon vulnerabilities (e.g., Zerologon — CVE-2020-1472) became weapons of choice for ransomware operators almost immediately after disclosure
Security teams should treat Netlogon RCE patches as emergency-priority items, particularly for organizations with externally-exposed domain infrastructure or those operating in threat-dense verticals (healthcare, manufacturing, financial services).
Full Scope of the May 2026 Release
Vulnerability Categories
| Category | Description | Priority |
|---|---|---|
| Remote Code Execution (RCE) | Execute arbitrary code on the target | Critical |
| Elevation of Privilege (EoP) | Gain higher privileges on a compromised host | High |
| Security Feature Bypass | Circumvent security controls (Defender, SmartScreen, UAC) | High |
| Information Disclosure | Expose sensitive data from memory or files | Medium |
| Denial of Service (DoS) | Disrupt availability of services | Medium |
| Spoofing | Impersonate legitimate services or identities | Medium |
Affected Product Areas
| Product | Severity |
|---|---|
| Windows Server 2019/2022/2025 | Critical/Important |
| Windows 11 (all supported versions) | Critical/Important |
| Windows 10 (all supported versions) | Critical/Important |
| Windows DNS Server | Critical — prioritize |
| Netlogon | Critical — prioritize |
| Microsoft Edge (Chromium) | Important |
| Microsoft Office (Word, Excel, Outlook) | Important |
| Azure Services | Important |
| .NET Framework & Visual Studio | Important |
| Windows Remote Desktop Services | Important |
| Microsoft SharePoint Server | Important |
| Hyper-V | Important |
| Windows Print Spooler | Important |
No Zero-Days — What That Means
May 2026 is one of the first Patch Tuesday releases in recent months without an actively exploited zero-day. For context, the 2026 Patch Tuesday cadence has been zero-day-heavy:
| Month | Exploited Zero-Days | Total Fixes |
|---|---|---|
| January 2026 | 3 | 159 |
| February 2026 | 6 | 67 |
| March 2026 | 4 | 57 |
| April 2026 | 1 | 168 |
| May 2026 | 0 | 138 |
No zero-days in the disclosure does not mean exploitation will not begin shortly. Security research groups routinely develop working proofs-of-concept within 24-72 hours of a Patch Tuesday release by reverse-engineering the patches themselves. The DNS and Netlogon RCE vulnerabilities in particular are likely to receive significant researcher attention given their prominence.
Prioritization Guidance
Given the 138-vulnerability scope, security teams should triage using the following framework:
| Priority | Criteria | Target Remediation |
|---|---|---|
| P1 — Emergency | DNS Server RCE, Netlogon RCE, any unauthenticated Critical RCE | 24 hours |
| P2 — Urgent | Critical RCE with authentication or user interaction | 72 hours |
| P3 — High | Important EoP, security feature bypass | 7 days |
| P4 — Standard | Important info disclosure, spoofing, DoS | 30 days |
Applying May 2026 Updates
Windows Update (Workstations)
Navigate to Settings → Windows Update → Check for Updates or use PowerShell:
Install-Module PSWindowsUpdate -Force -Scope CurrentUser
Get-WindowsUpdate -Install -AcceptAll -AutoRebootWSUS Environments
$wsus = Get-WsusServer
$scope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$scope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
$updates = $wsus.GetUpdates($scope)
$updates | Where-Object { $_.CreationDate -gt (Get-Date "2026-05-12") } | ForEach-Object {
$_.Approve([Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install,
$wsus.GetComputerTargetGroups()[0])
}Verify Patch Installation
# Check for May 2026 hotfixes
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-05-12") } |
Sort-Object InstalledOn -Descending | Select-Object HotFixID, InstalledOn, Description
# Check if reboot is pending
$rebootKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"
if (Test-Path $rebootKey) { Write-Host "REBOOT REQUIRED" -ForegroundColor Red }