For May, Patch Tuesday means 139 updates — but no zero-days

Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office.

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. The Readiness team suggests that testing start with internet-facing services, domain controllers, and Office endpoints. The May 2026 Assurance Security Dashboard breaks the cycle down by Microsoft product family for deployment risk assessment.

(More information about recent Patch Tuesday releases is available here.)

Known issues

Patch Tuesday arrived this month with a clean bill of health (at least with respect to reported and known issues) for Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025. However, two items warrant attention.

For May, Patch Tuesday means 139 updates — but no zero-days

Other newsrooms on this story

Related reading

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Other newsrooms on this story

Related reading

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs

Microsoft Windows Alert—Angry Hacker Drops 2 New Zero-Day Exploits

Microsoft patch fell short. New Windows flaw exploited

Mystery Microsoft bug leaker keeps the zero-days coming

Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday