May 2026 Patch Tuesday: 139 Fixes Address Critical RCEs and BitLocker Issues
Microsoft released 139 security updates this May, covering Windows, Office, .NET, and SQL Server—but notably skipping Microsoft Exchange Server. While no zero-day vulnerabilities were patched, the sheer volume of critical remote code execution (RCE) flaws and unresolved BitLocker issues demand immediate attention. Below, we break down the most urgent updates, known problems, and mitigation steps.
Overview of May Patch Tuesday Updates
The May 2026 Patch Tuesday bundle includes fixes across multiple Microsoft product families, but the standout threats are three unauthenticated network RCEs and four Word Preview Pane RCEs. The Readiness team recommends accelerating deployment, starting with internet-facing services, domain controllers, and Office endpoints. The major revisions section provides further details on critical vulnerabilities.
Key Vulnerabilities and Affected Products
- Unauthenticated Network RCEs: Netlogon, DNS Client, and SSO Plugin for Jira and Confluence each allow remote code execution without authentication, posing a high risk to exposed systems.
- Word Preview Pane RCEs: Four critical flaws (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) in Microsoft Word—CVSS 8.4—triggered simply by previewing a malicious document in Outlook or File Explorer.
- TCP/IP Vulnerability Cluster: A large group of TCP/IP stack vulnerabilities increases the attack surface for enterprise networks.
- BitLocker Carry-Over: The April 2026 recovery condition persists on Windows 10 and Windows Server systems with specific Group Policy settings.
No Zero-Days, but Critical Risks Remain
Although this month lacks reported zero-days, the combination of network and preview-pane RCEs, alongside the lingering BitLocker issue, justifies an accelerated patching schedule. Organizations should prioritize testing for internet-facing and domain controller systems.
Known Issues and Resolved Problems
Patch Tuesday arrived with relatively few reported issues for Windows 11 24H2/23H2, Windows 10 22H2, and Windows Server 2025—but two noteworthy problems persist.
BitLocker Recovery Condition Persists
Windows 10 and Windows Server customers remain exposed to the April 2026 BitLocker recovery condition. This occurs on devices configured with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 profile. Microsoft advises reviewing KB5027396 for mitigation steps.
Graphics Driver Downgrade Issue
Microsoft acknowledged on the Hardware Dev Center that Windows Update may replace manually-installed graphics drivers with older OEM versions. The ranking algorithm uses four-part Hardware IDs rather than version numbers, causing unintended downgrades for users who actively manage their display drivers.
Resolved: KB5089549 for PCR7/BitLocker
KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition. It also improves Boot Manager servicing so subsequent boot file updates no longer trigger recovery. This fix is critical for systems that were vulnerable to the earlier issue.
Secure Boot Certificate Distribution
Secure Boot certificate distribution now includes a new folder at C:\Windows\SecureBoot with automation scripts for IT teams. These scripts facilitate rolling out the Windows UEFI CA 2023 key replacement (CVE-2023-24932) ahead of the 2011 certificate expirations between June and October 2026.
Major Revisions and Mitigations
Given the Preview Pane issues, Microsoft offered specific mitigation advice for the Word RCE vulnerabilities.
Word Preview Pane RCEs (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367)
- Severity: Critical (CVSS 8.4)
- Exploitation Likelihood: CVE-2026-40361 and CVE-2026-40364 are flagged “Exploitation More Likely.”
- Attack Vector: Previewing a malicious document in Outlook or File Explorer triggers exploitation—no additional user interaction required.
- Mitigation: Disable the Word Preview Pane in Outlook and apply the latest Office updates immediately. For File Explorer, restrict preview handlers via Group Policy.
For full details on these flaws and other May updates, refer to the Microsoft Security Response Center.