May 2026 Patch Tuesday: 16 Critical Flaws to Patch Now
Microsoft's May 2026 Patch Tuesday fixes 118+ flaws including 16 critical. Here's which ones to patch first and why patch volumes are only going up.
Microsoft’s May 2026 Patch Tuesday addressed over 118 security vulnerabilities, 16 of them rated critical. For the first time in nearly two years, none are actively exploited zero-days. That sounds like good news, and it is, but 16 critical flaws means the exploitation clock started ticking the moment Microsoft published the details. Attackers reverse-engineer patches to build exploits, and the window between “patch available” and “exploit in the wild” keeps shrinking.
This is a significant drop from April’s near-record 168 patches, but the number of critical vulnerabilities actually doubled. If your business runs Windows servers, uses Microsoft Entra ID (formerly Azure AD), or has any Windows machines on the network (you do), three of these 16 deserve your immediate attention.
The Three Vulnerabilities That Matter Most
Not all 16 critical flaws carry the same risk for a typical SMB network. These three target infrastructure components that exist in virtually every business environment.
CVE-2026-41089: Domain Controller Takeover via Netlogon
This is the most dangerous vulnerability in the batch. A buffer overflow in the Windows Netlogon Remote Protocol allows an attacker to gain SYSTEM-level privileges on domain controllers. Every Windows Server version since Server 2012 is affected.
Domain controllers are the backbone of your network identity system. They control who can log in, what they can access, and how your security policies are enforced. An attacker with SYSTEM privileges on a domain controller effectively owns your entire network. They can create admin accounts, disable security tools, access any file share, and move laterally to every connected system.
The attack requires network access but does not require authentication, which means an attacker who gets inside your network perimeter, through a phishing email, a compromised VPN credential, or an exposed service, can escalate directly to full domain control. Patch your domain controllers first.
CVE-2026-41103: Entra ID Credential Forgery
Microsoft flagged this vulnerability as “more likely to be exploited,” which is their way of saying the technical barrier to building a working exploit is low. The flaw allows an attacker to forge credentials and impersonate any user in your Entra ID tenant.
For businesses that use Microsoft 365, this is a direct path to email accounts, SharePoint, Teams, and any application that relies on Entra ID for authentication. An attacker impersonating a CFO can approve wire transfers, access financial documents, and send emails that appear completely legitimate. An attacker impersonating an IT admin can modify security policies, disable multi-factor authentication, or grant themselves persistent access.
Microsoft is handling the server-side fix for Entra ID, but organizations need to verify that any on-premises components tied to Entra Connect or hybrid identity configurations are updated. Check with your IT team or managed IT provider to confirm your hybrid identity infrastructure is patched.
CVE-2026-41096: Windows DNS Client Remote Code Execution
This one affects every Windows machine on your network. The Windows DNS client, the component that translates domain names into IP addresses every time your computer connects to anything, has a remote code execution vulnerability. An attacker who controls or compromises a DNS server (or positions themselves as a man-in-the-middle) can execute arbitrary code on any Windows client that queries the malicious DNS response.
DNS is fundamental to how networks function. Every device makes DNS queries constantly, which makes this vulnerability’s attack surface enormous. The practical risk depends on your network architecture and whether an attacker can intercept or redirect DNS traffic, but the universal footprint of this flaw makes it a priority for every organization.
What “No Zero-Days” Actually Means
This is the first Patch Tuesday since June 2024 without an actively exploited zero-day. That means none of these 118+ vulnerabilities had confirmed exploitation before the patches were released. It does not mean they are low risk.
The moment Microsoft publishes patch details, security researchers and attackers alike begin analyzing the changes to understand what was fixed and how to exploit it. For critical vulnerabilities with clear attack paths, working exploits can appear within days. The three vulnerabilities above are prime candidates: they affect widely deployed components, require relatively low complexity to exploit, and deliver high-impact results.
“No zero-days” means you have a head start. It does not mean you have time to wait.
Why Patch Volumes Keep Climbing
May’s 118 vulnerabilities are actually a decrease from April’s 168, but the longer trend is clear: Microsoft is finding and disclosing more vulnerabilities per release than it did two or three years ago. Part of that increase is attributed to Project Glasswing, Microsoft’s AI-assisted vulnerability discovery program that uses machine learning to identify security flaws in code at a scale that manual review cannot match.
This is a double-edged reality for IT teams. More vulnerabilities discovered before exploitation is genuinely better than attackers finding them first. But each discovered vulnerability generates a patch that needs to be tested, deployed, and verified across your environment. The operational burden of staying current grows with every release cycle.
For businesses that handle patching internally, this trend means the monthly patching workload is not going to shrink. What used to be a manageable afternoon of updates is becoming a multi-day process of prioritization, testing, staged deployment, and verification. If your IT team is already stretched thin, the math does not improve from here.
A Practical Patch Priority Framework
You cannot patch everything simultaneously. Here is a prioritization approach that balances risk reduction with operational reality.
Tier 1: Patch Within 48 Hours
- Domain controllers and identity infrastructure (CVE-2026-41089, CVE-2026-41103). These are the keys to your kingdom. An attacker who compromises identity infrastructure can bypass every other security control you have in place.
- Any system exposed to the internet. Remote Desktop servers, VPN appliances, web-facing applications. External exposure plus a critical vulnerability is the combination that attackers scan for first.
Tier 2: Patch Within One Week
- DNS infrastructure and all Windows endpoints (CVE-2026-41096). The DNS client vulnerability affects every Windows machine, but exploitation requires a more specific attack path than the identity flaws. Prioritize servers and machines on less-trusted network segments.
- Remaining critical vulnerabilities. The other 13 critical flaws cover components like Hyper-V, Windows Routing and Remote Access, and other server roles. If you run the affected services, patch them in this window.
Tier 3: Patch Within 30 Days
- Important and moderate severity patches. The remaining 100+ vulnerabilities are lower severity, but “important” rated flaws can still be chained with other exploits to escalate an initial compromise. Don’t ignore them; just patch the critical items first.
Test Before You Deploy
Even urgent patches need basic validation. Apply updates to a small group of non-critical systems first, verify that key applications still function, and then roll out broadly. The one scenario worse than a delayed patch is a patch that breaks a critical business application across your entire organization.
If your environment uses Windows Autopatch, eligible devices will receive many of these updates automatically with staged rollouts built in. For everything else, your IT team or managed IT provider needs to manage the deployment manually.
What This Means for Your Patching Strategy
Monthly patching is not a one-time task you complete and forget. It is a recurring operational process that requires asset inventory, vulnerability prioritization, staged deployment, verification, and documentation. The businesses that stay protected are the ones with a systematic approach.
If any of the following describe your current patching situation, this month’s release should be a wake-up call:
- You don’t know how many domain controllers you have. If you cannot answer that question in under a minute, you cannot patch CVE-2026-41089 with confidence.
- Your patches are more than 30 days behind. Industry data consistently shows that most breaches exploit vulnerabilities with patches available for months. The gap between “patch available” and “patch applied” is where attackers operate.
- Patching is one person’s side job. When a release includes 16 critical vulnerabilities, patching requires dedicated time, testing, and follow-up. Treating it as something your IT person does “when they get to it” means it does not get done on time.
- You have no way to verify patches deployed successfully. Pushing updates is not the same as confirming they installed. Systems fail to patch for dozens of reasons: pending reboots, disk space, software conflicts, connectivity issues. Without verification, you are guessing at your security posture.
A managed patching program handles all of this systematically: maintaining asset inventories, prioritizing based on severity and exploitability, testing before deployment, deploying in stages, verifying success, and documenting the entire process for compliance purposes. For most SMBs, building this capability internally costs more in staff time and risk exposure than outsourcing it to a team that does it every month across hundreds of environments.
Need Help Keeping Up With Patch Management?
Our team can prioritize, test, and deploy patches across your entire environment so critical vulnerabilities don't sit unpatched.
Get a Free AssessmentThe Bottom Line
May 2026’s Patch Tuesday is a reminder that “no zero-days” is not the same as “nothing to worry about.” Sixteen critical vulnerabilities affecting domain controllers, cloud identity, and DNS infrastructure require prompt action. The three most dangerous flaws, CVE-2026-41089, CVE-2026-41103, and CVE-2026-41096, should be at the top of every IT team’s list this week.
The broader trend is equally important: AI-assisted vulnerability discovery is accelerating the rate at which security flaws are found. That means larger patch releases, more frequent critical updates, and a growing operational burden for businesses that manage their own IT. Having a systematic, repeatable patching process is no longer optional. It is the baseline for staying protected.
Patch your domain controllers today. Verify your Entra ID configuration. Update your DNS infrastructure. And if your current patching process cannot keep up with this volume, it is time to fix the process.