May Patch Tuesday
Microsoft's monthly security update for May 2026, released on Tuesday 13 May with 120 CVEs.
Last refreshed: 20 May 2026 · Appears in 1 active topic
The 22-month streak ended within 48 hours of Patch Tuesday; what does that say about scheduled-release security signals?
Timeline for May Patch Tuesday
Mentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and Defences- What did Microsoft's May 2026 Patch Tuesday release fix?
- Microsoft's May 2026 Patch Tuesday shipped 120 CVEs with no in-the-wild zero-days at release. Notable fixes include CVE-2026-41089 (Netlogon RCE, CVSS 9.8), CVE-2026-42898 (Dynamics 365 RCE, CVSS 9.9), and four Word RCE flaws via Preview Pane.Source: BleepingComputer / Tenable
- Why did Microsoft's 22-month no-zero-day Patch Tuesday streak not actually mean anything?
- Two actively exploited vulnerabilities were added to CISA's KEV catalogue within 48 hours of the May 2026 release: Cisco SD-WAN CVE-2026-20182 on 14 May and Exchange CVE-2026-42897 on 15 May. The streak was a Patch Tuesday artefact; exploitation continued outside the scheduled window.Source: CISA KEV / BleepingComputer
- What is Patch Tuesday and when does it happen?
- Patch Tuesday is Microsoft's monthly security update release, scheduled for the second Tuesday of each month. It addresses vulnerabilities in Windows, Office, Exchange, and other Microsoft products. The May 2026 edition released 120 CVE fixes.
- What were the most critical fixes in May 2026 Patch Tuesday?
- The highest-severity fixes include CVE-2026-42898 (Dynamics 365 RCE, CVSS 9.9), CVE-2026-41089 (Windows Netlogon RCE, CVSS 9.8), and CVE-2026-41103 (SSO Plugin elevation of privilege, CVSS 9.1). Four Microsoft Word RCE flaws exploitable via Preview Pane were also patched.Source: Tenable
- Is the Exchange CVE-2026-42897 zero-day included in May Patch Tuesday?
- No. CVE-2026-42897 was added to CISA's KEV catalogue on 15 May, two days after Patch Tuesday, as an out-of-band addition with no Microsoft patch available. It is separate from the 120 CVEs addressed in the scheduled release.Source: CISA KEV
Background
May Patch Tuesday is the informal name for Microsoft's monthly security update cycle, released on the second Tuesday of each month. The May 2026 edition shipped on Wednesday 13 May 2026 (adjusted from Tuesday 12 May) with 120 CVEs addressed and, notably, no vulnerabilities marked as exploited in the wild at the time of release. That result would have extended to 22 months a streak of Patch Tuesday releases without a release-day zero-day, a milestone Microsoft's security communications team had been tracking.
The streak was broken within 48 hours by two out-of-band KEV additions. CISA added Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) to its Known Exploited Vulnerabilities catalogue on 14 May with Emergency Directive ED 26-03 and a three-day federal remediation window. The following day, 15 May, CISA added Microsoft Exchange CVE-2026-42897, a cross-site scripting zero-day in Outlook Web Access rated CVSS 8.1, with a 29 May federal deadline and no patch available. Both were actively exploited. The 22-month no-zero-day streak was therefore a Patch Tuesday artefact rather than a security posture shift; the exploitation tempo continued outside the release window.
Notable fixes in the May 2026 Patch Tuesday batch include CVE-2026-41089 (Windows Netlogon remote-code execution, CVSS 9.8), CVE-2026-41103 (SSO Plugin elevation of privilege, CVSS 9.1), CVE-2026-42898 (Dynamics 365 remote-code execution, CVSS 9.9), and four Microsoft Word remote-code execution flaws exploitable via the Preview Pane attack vector. The release demonstrates that Patch Tuesday's significance as a security signal is increasingly lagging indicator: two of May's most consequential Microsoft-adjacent vulnerabilities arrived outside the scheduled cycle entirely.