Patch Tuesday, May 2026: Four Bugs to Fix This Week, and One You Can Ignore

Yesterday was Patch Tuesday. Microsoft published 137 vulnerabilities. Thirty rated critical. Fourteen with a CVSS score above 9.0.

And for the first time since June 2024, no zero-days. Nothing being actively exploited in the wild.

That’s the headline. It’s quite good news, actually. Here’s what to do about it.

A quick word on the numbers

If you read three different summaries of this release, you’ll see three different totals. The Register said 137. SC Media confirmed 137. BleepingComputer counted 120. Cisco Talos called 31 of them critical, Microsoft says 30.

Nobody is wrong. They’re just counting different things. BleepingComputer left out Azure, Copilot, Teams and a few others that Microsoft patched earlier in the month. The rest just round differently.

None of this changes what you need to do. It just explains why the headlines don’t line up.

One more thing worth noting from Microsoft itself. Tom Gallagher at the Microsoft Security Response Center posted a note alongside the release. AI-driven scanning is now finding bugs faster than it used to, and Microsoft’s own internal tool found 16 of this month’s vulnerabilities. Translation: Patch Tuesday releases are going to keep getting bigger. April’s was 169 CVEs, the second-largest on record. Plan for that. Build the patching cadence to absorb it.

The four bugs that actually matter

Bug one: Windows Netlogon (CVE-2026-41089)

Priority one. Patch this in 48 hours.

It’s a buffer overflow in Windows Netlogon. CVSS 9.8. No authentication needed. And according to the Zero Day Initiative, it’s wormable — compromise one domain controller and the attacker can use it to attack the next, without credentials, automatically.

If that sounds familiar, it’s because it’s in the same neighbourhood as ZeroLogon back in 2020. The phrase Cyber Daily used was blunt: a compromised domain controller is a compromised domain. Game over. The attacker walks away with the Active Directory database, your password hashes, and a persistent foothold.

If you run an on-premises domain controller, this is your weekend reading. Patch a test DC first, reboot, verify replication, then roll out to the rest. Roughly an hour per server.

If you’re fully cloud, fully Entra ID, no on-prem AD anywhere — you can skip this one. Check before you assume. Plenty of small businesses still have a legacy domain controller in a cupboard nobody’s documented properly. Find it. Patch it. Then have the conversation about whether it should still be there at all.

Bug two: Windows DNS Client (CVE-2026-41096)

Priority two. Patch your endpoints by Friday.

Heap-based buffer overflow in the Windows DNS Client. CVSS 9.8. No authentication. No user interaction. An attacker who can influence a DNS response — through a man-in-the-middle, a malicious DNS server, a poisoned cache — can run code on the target machine.

The attack surface is every Windows device you own. Every laptop. Every server. Every workstation.

Microsoft has rated exploitation as “less likely,” citing modern memory protections. That’s a fair assessment. It’s not a reason to let the patch sit in your test ring for three weeks.

Test ring tomorrow. Production by end of week.

Bug three: Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103)

This is the one most people will miss. Elevation of privilege in the Microsoft Single Sign-On Plugin for Atlassian Jira and Confluence. Microsoft has rated exploitation as “more likely” — the designation that should always move a bug up your priority list.

An unauthenticated attacker can impersonate an existing user by presenting forged credentials, bypassing Entra ID single sign-on entirely.

Here’s the awkward part. The SANS Internet Storm Center pointed out that the patch links on Microsoft’s advisory point to plugin versions from 2024. That’s odd, and it’s a warning. Don’t just trust the Microsoft page. If you self-host Jira or Confluence with Entra ID SSO, raise a ticket with Atlassian directly and ask which plugin version actually contains the fix.

This needs to be handled separately from your Windows patch cycle.

Bug four: Dynamics 365 on-premises (CVE-2026-42898)

Remote code execution in Microsoft Dynamics 365. CVSS 9.9. On-premises only.

Most UK small businesses on Dynamics 365 are on the cloud version, which isn’t affected. If you’re on-prem, patch this week. If you’re not sure, ask the person who manages your Dynamics tenant.

The bug everyone is talking about that you can ignore

CVE-2026-42826. CVSS 10.0. A perfect score. The one that will dominate this week’s security headlines.

Information disclosure vulnerability in Azure DevOps. Microsoft has already fully mitigated it on their side. No customer action required.

The CVE exists for transparency, not because anybody needs to do anything. When you see “perfect 10 critical bug in May Patch Tuesday” trending on LinkedIn this week, that’s the one. Already fixed. Move on.

The known issue that will lock people out of laptops

This one matters. After installing this month’s update, some Windows devices will prompt for a BitLocker recovery key on the first restart.

It isn’t a bug. It’s what happens when a Secure Boot certificate update changes the boot environment that BitLocker measures. Microsoft has documented it.

For most small businesses with default BitLocker settings, this won’t trigger. For organisations running custom security baselines — Cyber Essentials Plus shops, anyone with a managed security configuration on their fleet — it might.

Three things to check before you deploy:

1. Before pushing the update, set the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured.”
2. Confirm BitLocker recovery keys are backed up to Entra ID, Active Directory, or wherever you store them. If you can’t tell anyone where the keys are, find out before Monday morning.
3. Once deployment is stable, reapply the GPO if your security baseline requires it.

If your IT provider is planning to push this update across your laptop fleet on Monday morning without verifying recovery keys first, ask them what their plan is when the senior team is locked out at 9am. The fact that the prompt only happens once is no comfort to a CEO standing in reception holding a useless laptop.

The five-step plan for this week

Today: the domain controller. If you have on-premises AD, identify your DCs and schedule the patching window in the next 48 hours. One Windows Server cumulative update covers everything in this release for each Server version. KB5087539 for Windows Server 2025, KB5087545 for Windows Server 2022, KB5087541 for Windows Server 23H2. Older supported versions have their own KBs in Microsoft’s release notes.

Tomorrow: the test ring. Push the endpoint cumulative update to a small group. The KB numbers:

• Windows 11 24H2 and 25H2: KB5089549
• Windows 11 23H2: KB5087420
• Windows 10 22H2 and 21H2 on ESU: KB5087544

Watch the test ring for 24 to 48 hours. Confirm nobody has been locked out of BitLocker.

Friday: full deployment. Roll out to the rest of the estate. Friday gives you the weekend to find anything weird before staff log in on Monday.

Atlassian, separately. If you self-host Jira or Confluence with Entra ID SSO, raise the ticket and update the plugin outside the Windows patch cycle.

Then: audit your backlog. If anything in your estate is more than three months behind on patches, that’s your real problem. Not this Patch Tuesday. This release is routine maintenance. It’s the one you skipped last September that’s going to get you compromised.

And it isn’t just Microsoft

May 12 was a busy day across the industry. Adobe published 32 vulnerabilities, including two critical flaws in Adobe Connect. SAP disclosed 15, two of them critical — a SQL injection in S/4HANA and a missing authentication check in Commerce Cloud. AMD released an elevation-of-privilege fix for the op-cache on Zen 2 processors. Apple shipped updates across macOS, iOS, watchOS, iPadOS, visionOS and tvOS.

If your organisation runs any of those, this is patch week for them too. Don’t forget the Macs.

Why a documented patching cadence is now a business advantage

Most UK small businesses don’t have a written patching policy. They have an IT provider who applies updates “when they get round to it,” or they wait for something to break and then patch reactively. Neither of those is a security control. Both of them are a problem.

A 48-hour patching window for critical vulnerabilities, with documented testing and rollback, makes a measurable difference in three places:

• Cyber Essentials Plus explicitly assesses patch management against a 14-day deadline for critical and high-severity issues. No documented process, no certificate.
• Supplier security questionnaires from larger customers increasingly ask for patching SLAs. The contract goes to whoever can answer the question with a number.
• Cyber insurance applications now ask specific questions about how quickly critical patches are deployed. Documented evidence reduces premiums.

The cost of running a documented patching process is low. The cost of not having one — when it’s asked for during an audit, a supplier review, or after an incident — is high. And it keeps going up.

What to do this week

Three things, in order:

1. Identify your on-premises domain controllers and patch them in the next 48 hours.
2. Push the endpoint cumulative update to a test ring tomorrow. Confirm BitLocker recovery keys are accessible before production deployment on Friday.
3. Audit your patching backlog. If anything is more than three months behind, fix that before next month’s release lands.

This isn’t a panic month. It’s a maintenance month. Treat it that way, and finish it on time.

Where we come in

If your patching process is “we hope the updates installed overnight,” or if you’re not entirely sure who owns it, that’s exactly the kind of thing we sort out for the businesses we look after.

Our managed IT service and cyber security work are built around making boring things like Patch Tuesday genuinely boring — predictable, documented, and finished on time without anyone losing a laptop to BitLocker.

Call +44 345 1255400 or book a 15-minute discovery call. No pitch, just a conversation.

In security, just like in everything else, the unglamorous monthly work is what keeps you out of trouble.

Sources

• Microsoft Security Response Center — A note on this month’s Patch Tuesday
• Microsoft Security Update Guide — May 2026 release notes
• The Register — Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs
• BleepingComputer — Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
• SC Media — Patch Tuesday: No zero days among 137 Microsoft CVEs
• Cisco Talos — Microsoft Patch Tuesday for May 2026
• SANS Internet Storm Center — Microsoft May 2026 Patch Tuesday
• Cyber Daily — Op-Ed: Microsoft May Patch Tuesday reveals 137 vulnerabilities