
May Patch Tuesday
Microsoft's monthly security update for May 2026, released on Tuesday 13 May with 120 CVEs.
Last refreshed: 20 May 2026 · Appears in 1 active topic
The 22-month streak ended within 48 hours of Patch Tuesday; what does that say about scheduled-release security signals?
Timeline for May Patch Tuesday
Mentioned in: 200 fixes, six zero-days, late Exchange
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and DefencesWhat did Microsoft's May 2026 Patch Tuesday release fix?
Why did Microsoft's 22-month no-zero-day Patch Tuesday streak not actually mean anything?
Background
May Patch Tuesday is the informal name for Microsoft's monthly security update cycle, released on the second Tuesday of each month. The May 2026 edition shipped on Wednesday 13 May 2026 (adjusted from Tuesday 12 May) with 120 CVEs addressed and, notably, no vulnerabilities marked as exploited in the wild at the time of release. That result would have extended to 22 months a streak of Patch Tuesday releases without a release-day zero-day, a milestone Microsoft's security communications team had been tracking.
The streak was broken within 48 hours by two out-of-band KEV additions. CISA added Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) to its Known Exploited Vulnerabilities catalogue on 14 May with Emergency Directive ED 26-03 and a three-day federal remediation window. The following day, 15 May, CISA added Microsoft Exchange CVE-2026-42897, a cross-site scripting zero-day in Outlook Web Access rated CVSS 8.1, with a 29 May federal Deadline and no patch available. Both were actively exploited. The 22-month no-zero-day streak was therefore a Patch Tuesday artefact rather than a security posture shift; the exploitation tempo continued outside the release window.
Notable fixes in the May 2026 Patch Tuesday batch include CVE-2026-41089 (Windows Netlogon remote-code execution, CVSS 9.8), CVE-2026-41103 (SSO Plugin elevation of privilege, CVSS 9.1), CVE-2026-42898 (Dynamics 365 remote-code execution, CVSS 9.9), and four Microsoft Word remote-code execution flaws exploitable via the Preview Pane attack vector. The release demonstrates that Patch Tuesday's significance as a security signal is increasingly lagging indicator: two of May's most consequential Microsoft-adjacent vulnerabilities arrived outside the scheduled cycle entirely.