Patch Tuesday May 2026: What UK Small Businesses Actually Need to Do This Week
Microsoft released patches for 120 vulnerabilities yesterday. Twenty-nine are rated Critical. Two of them affect components so fundamental to Windows networking that every business running Windows needs to act this week, not at the end of the month.
This is what the data shows. This is what it means for your business. This is what to do.
The Two Flaws That Actually Matter This Week
Among the May 2026 Patch Tuesday releases, two vulnerabilities stand out for UK small businesses.
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon. CVSS score: 9.8. Netlogon is the protocol Windows uses to authenticate users against a domain. An unauthenticated attacker, one with no credentials at all, can send malicious traffic and execute code remotely. That means gaining control of a machine without logging in.
CVE-2026-41096 is a heap-based buffer overflow in Windows DNS. CVSS score: 9.8. DNS is the system that translates domain names into IP addresses. If your Windows Server handles DNS for your office network, which is common in businesses using Active Directory, this flaw allows the same outcome: unauthenticated remote code execution.
Neither has been reported as exploited in the wild as of publication. That status changes. Proof-of-concept exploit code typically emerges within days of a Patch Tuesday release once researchers begin reverse-engineering the patches.
Why “Not Yet Exploited” Is Not a Reason to Wait
The intelligence community has tracked the gap between patch release and active exploitation narrowing over recent years. A CVSS 9.8 flaw with no authentication requirement, affecting a protocol as widely deployed as Netlogon, is precisely the type of vulnerability that ransomware operators and initial access brokers prioritise.
The business model here is straightforward. Criminal groups monitor Patch Tuesday releases. They identify high-severity, widely-deployed, unauthenticated flaws. They develop or purchase working exploits. They scan the internet for unpatched systems. The window between patch release and active scanning is measured in days, sometimes hours for the highest-value targets.
Waiting for your quarterly patch cycle to apply a CVSS 9.8 fix is not a risk management decision. It is an unexamined default that happens to create a ransomware welcome mat.
What Else Came Out This Week
Beyond the two headline Windows flaws, several other items warrant attention depending on what software your business runs.
Azure Entra ID (CVE-2026-40379, CVSS 9.3) has an information disclosure flaw allowing an unauthenticated attacker to perform spoofing over a network. If your business uses Microsoft Entra ID for identity management, which includes many Microsoft 365 customers, this is relevant. Microsoft cloud services are typically patched automatically, but it is worth confirming with your IT provider that Entra ID updates have been applied.
Azure Logic Apps (CVE-2026-42823, CVSS 9.9) has an improper access control flaw allowing privilege escalation. Logic Apps are used to automate workflows between services. If your business uses Power Automate or Logic Apps integrations, your cloud provider should have this in hand, but verify.
Exim mail server has a separate, non-Microsoft flaw disclosed this week affecting versions 4.97 through 4.99.2 built with GnuTLS. Exim is a popular open-source mail transfer agent used widely on Linux servers. If your business runs its own mail server, check with your hosting provider or IT support whether your Exim version is affected and whether updates have been applied.
The Exim flaw is notable because many small businesses use hosted platforms like Google Workspace or Microsoft 365 and are not affected. But businesses that self-host email, or whose web hosting includes a self-managed mail server, should check.
Why This Gives You an Edge
Businesses that patch promptly after Patch Tuesday operate in a measurably different risk category to those that do not. Opportunistic attackers, which account for the majority of incidents affecting small businesses, scan for known vulnerabilities against known-unpatched systems. Applying patches promptly removes your name from those scan results.
This is also a supplier and client expectation. Cyber Essentials, the UK government-backed certification scheme, requires that critical and high-severity vulnerabilities be patched within 14 days of a patch becoming available. A CVSS 9.8 flaw with a patch available on 12 May 2026 has a compliance deadline of 26 May 2026 for Cyber Essentials holders. Missing that deadline is not just a security failure; it is a certification failure.
If you hold Cyber Essentials and your MSP has not patched these within 14 days of release, that is a conversation worth having, in writing.
Making the Business Case
Three points for anyone who needs to explain this to a director or budget holder:
The flaw is public and the clock is running. Microsoft has disclosed these vulnerabilities publicly. That disclosure is a signal to every researcher and criminal group in the world. The window before exploitation attempts begin is short. Patching now is the lowest-cost option available.
The patch costs nothing and is already available. Windows Update delivers this fix automatically, or your IT provider applies it. There is no procurement decision, no vendor negotiation, no cost beyond the time to apply and test. The cost of not patching is potentially total: ransomware recovery for a small business without tested backups can run to tens of thousands of pounds, plus regulatory exposure under UK GDPR if personal data is compromised.
Cyber Essentials compliance requires it. If your business holds or is pursuing Cyber Essentials certification, patching critical vulnerabilities within 14 days is a requirement, not a recommendation. The deadline for this batch is 26 May 2026.
What to Do This Week
-
Apply Windows updates on every machine and server. Open Settings, go to Windows Update, and confirm that May 2026 updates are installed. On Windows Server, use Windows Server Update Services or your management tooling. Do not rely on automatic updates being enabled without verifying they have actually run.
-
Confirm with your MSP or IT provider. If a managed service provider handles patching for you, contact them today and ask for written confirmation that CVE-2026-41089 and CVE-2026-41096 have been patched across your estate. Get the response in writing. If they cannot confirm, escalate.
-
Check your Exim installation if you self-host email. If your business runs its own mail server or uses a hosting provider that includes a managed mail server, ask whether Exim is in use and whether it has been updated beyond version 4.99.2.
-
Review your patch management process. If this month’s news caught you off guard, that is a process problem. Your patching cycle should include a check on Patch Tuesday releases every second Tuesday of the month. It takes 20 minutes. The alternative is discovering a missed patch after a breach.
-
Check Windows Update is not paused. Some systems have Windows Update paused after a previous problematic update. Go to Settings, Windows Update, and confirm updates are not paused. A paused system is a system that has not received this month’s fixes.