Patch Tuesday May 2026: The Four Bugs UK SMBs Must Fix This Week
Yesterday was Patch Tuesday. Microsoft published 137 CVEs, depending on how you count them. Thirty rated critical. Fourteen with a CVSS score of 9.0 or higher. For the first time since June 2024, no zero-days. Nothing actively exploited in the wild.
That’s the headline. Here’s what to do about it.
The shape of the release
The numbers vary by source. The Register cited 137 CVEs and 30 critical. SC Media confirmed 137 with 14 critical CVSS scores. BleepingComputer counted 120. The difference is accounting. BleepingComputer excluded Azure, Mariner, Microsoft Copilot, Teams, and Partner Center vulnerabilities that were fixed earlier in the month. Talos at Cisco counted 31 as critical. Microsoft’s own grouping shows 30. None of this changes what you need to patch. It just explains why the numbers in different headlines don’t match.
Tom Gallagher, VP of engineering at the Microsoft Security Response Center, posted a note alongside the release. The substance of it: AI tooling is now finding more bugs faster, so future Patch Tuesday releases will trend larger on average. Microsoft’s own AI-driven scanning harness, codenamed MDASH, was responsible for finding 16 of the vulnerabilities patched this month. The April release contained 169 CVEs, the second-highest in Patch Tuesday history. According to Tenable, Microsoft is on pace to surpass the 2020 record of 1,245 CVEs in a single calendar year.
Plan for bigger releases. Build the operational capacity to absorb them.
Bug one: Windows Netlogon (CVE-2026-41089)
Priority one. Stack-based buffer overflow in Windows Netlogon. CVSS 9.8. Unauthenticated, remote, and according to the Zero Day Initiative’s Dustin Childs, wormable. An attacker who compromises one domain controller can use that machine to attack the next without further authentication.
If you remember CVE-2020-1472, the ZeroLogon vulnerability from 2020, this is in the same neighbourhood. The Cyber Daily analysis was blunt about the consequence: a compromised domain controller is a compromised domain. Exploitation in the context of the Netlogon service runs as SYSTEM on the domain controller. That gets the attacker the Active Directory database, password hashes, and persistent administrative control.
Patches are available for all Windows Server versions from 2012 onwards.
If you run an on-premises domain controller, this is priority one. Schedule the patch in the next 48 hours. If you have multiple domain controllers, test on one, reboot, verify replication, then roll out to the others. Roughly one hour per domain controller including verification.
If you’re fully cloud, fully Entra ID, no on-premises Active Directory, you can skip this. Check before you assume. Plenty of small businesses still have a legacy domain controller somewhere nobody documented properly. Find it. Patch it. Then have the conversation about whether it should still exist.
Bug two: Windows DNS Client (CVE-2026-41096)
Priority two. Heap-based buffer overflow in the Windows DNS Client. CVSS 9.8. No authentication required. No user interaction needed. An attacker who can influence DNS responses, including via a man-in-the-middle position or a malicious DNS server, can trigger remote code execution on the vulnerable Windows machine.
The attack surface is enormous because the DNS Client runs on every Windows machine you operate. Microsoft has rated exploitation as less likely, citing modern memory protections like heap address randomisation. That’s fair, but it’s not a reason to leave the patch sitting in your test ring for three weeks. Jack Bicer at Action1 spelled out the consequences if exploitation does happen: widespread endpoint compromise, ransomware deployment, credential harvesting, operational disruption across the corporate network.
Patch your endpoints. All of them. Test ring first, then production, by the end of the week.
Bug three: Dynamics 365 on-premises (CVE-2026-42898)
CVSS 9.9. Remote code execution in Microsoft Dynamics 365, on-premises only. Any authenticated user with low-level access can trigger it. The Zero Day Initiative flagged this as a scope change vulnerability, meaning the impact extends beyond the vulnerable component into systems it integrates with.
Most UK small businesses on Dynamics 365 use the cloud version, which isn’t affected. If you’re on-premises, patch this week.
Bug four: Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103)
This is the one most people will miss. Critical elevation of privilege vulnerability in the Microsoft Single Sign-On Plugin for Atlassian Jira and Confluence. Microsoft has rated exploitation as “more likely,” which is the designation that should always move a vulnerability up your priority list.
An unauthenticated attacker can impersonate an existing user by presenting forged credentials, bypassing Entra ID authentication entirely.
The awkward part. The SANS Internet Storm Center analysis noted that the patch links on Microsoft’s advisory point to plugin versions published in 2024. That’s curious, and it’s a warning. Verify the fix with Atlassian, not just Microsoft. If you self-host Jira or Confluence with Entra ID single sign-on, raise a ticket with Atlassian, ask which plugin version contains the actual remediation, and update separately from the Windows patch cycle.
The bug you can ignore
CVE-2026-42826. CVSS 10.0. A perfect score. Information disclosure vulnerability in Azure DevOps.
Microsoft has already fully mitigated it on their side. No customer action required. The CVE exists for transparency. When you read this week’s headlines about “perfect 10 critical bug in May Patch Tuesday,” that’s the one. Already fixed. Move on.
The known issue: BitLocker recovery key prompt
After installing this update, some Windows devices will prompt for a BitLocker recovery key on the first restart. Microsoft has documented this. It’s not a bug. It’s what happens when a Secure Boot certificate update changes the boot environment that BitLocker measures.
The trigger conditions are specific: BitLocker enabled on the operating system drive, Group Policy configured to validate PCR7 in the TPM platform validation profile, a system where PCR7 binding is reported as “Not Possible” in msinfo32, and the Windows UEFI CA 2023 certificate present in the Secure Boot signature database.
For most small businesses with default BitLocker configuration, this won’t trigger. For organisations running custom security baselines on managed Windows fleets, it might. Three steps to avoid it:
- Before deploying the update, set the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured.”
- Confirm BitLocker recovery keys are backed up to Active Directory, Entra ID, or your chosen store. If you can’t tell anyone where the keys live, find out before you deploy.
- After deployment is stable, reapply the GPO if your security baseline requires it.
If your managed service provider is planning to push this update across your laptop fleet on Monday morning without verifying recovery keys first, ask them what their plan is when the senior team is locked out at 9am. The fact that the prompt is one-time is no comfort to a CEO who can’t find the key.
The five-step deployment plan
Step one. Today, the domain controller. If you have an on-premises domain controller, identify it, schedule a patching window in the next 48 hours, and apply this month’s Windows Server cumulative update. Each Server version receives one update, and that single update includes the Netlogon fix along with every other Server bug this month: KB5087539 for Windows Server 2025, KB5087545 for Windows Server 2022, KB5087541 for Windows Server 23H2. Older supported versions have their own KBs; check Microsoft’s release notes. Test on one DC if you have multiples, reboot, verify replication, then patch the others. Roughly one hour per domain controller.
Step two. Tomorrow, the test ring. Push this month’s endpoint cumulative update to a small test group. Same principle: one update per Windows version, covering everything in this release. The KB numbers:
- Windows 11 versions 24H2 and 25H2: KB5089549 (build 26100.8457 or 26200.8457)
- Windows 11 version 23H2: KB5087420 (build 22631.7079)
- Windows 11 26H1 on ARM: KB5089548 (build 28000.2113)
- Windows 10 versions 22H2 and 21H2 on the ESU programme: KB5087544 (build 19045.7291 or 19044.7291)
Watch the test ring for 24 to 48 hours. Confirm nobody is locked out of BitLocker.
Step three. End of the week, full deployment. Roll out to the rest of the estate. Friday deployment gives you the weekend to find and fix anything weird before staff log in on Monday.
Step four. Atlassian, separately. If you self-host Jira or Confluence with Entra ID single sign-on, raise the ticket with Atlassian and update the plugin independently of the Windows patch cycle.
Step five. Audit your backlog. If anything in your estate is more than three months behind on patches, that’s your real problem, not this Patch Tuesday. This release is routine maintenance. The Patch Tuesday you didn’t apply last September is the one that gets you compromised.
Beyond Microsoft
Microsoft wasn’t the only vendor publishing fixes on 12 May. Adobe released 32 vulnerabilities across ten products, including two critical flaws in Adobe Connect. SAP disclosed 15 new vulnerabilities, with two rated critical: CVE-2026-34260, a SQL injection in SAP S/4HANA, and CVE-2026-34263, a missing authentication check in SAP Commerce Cloud. AMD published an elevation of privilege vulnerability in the op-cache on Zen 2 processors. Apple released updates across macOS, iOS, watchOS, iPadOS, visionOS, and tvOS.
If your organisation runs any of those, this is also patch week for them. Don’t forget the Mac fleet.
How to turn this into a competitive advantage
Most UK small businesses don’t have a documented patching cadence. They have a managed service provider who applies updates “when they get round to it,” or they wait for things to break and then patch reactively. Neither qualifies as a security control.
A 48-hour patching window for critical vulnerabilities, with documented testing and rollback procedures, is a measurable differentiator in three places. First, in Cyber Essentials Plus certification, where patch management is explicitly assessed against a 14-day deadline for critical and high-severity issues. Second, in supplier security questionnaires, where larger customers increasingly ask for documented patching SLAs. Third, in cyber insurance applications, where insurers now ask specific questions about how quickly critical patches are deployed.
The businesses winning supplier contracts in 2026 are the ones that can answer the question “what’s your patching SLA for critical vulnerabilities” with a number, a process, and evidence.
How to sell this to your board
The Patch Tuesday cycle is the most predictable security operation in the calendar. It happens on the second Tuesday of every month. The vulnerabilities are catalogued. The exploitation likelihood is published. There’s no excuse for treating it as a surprise event each month.
Four arguments for the board:
- Operational discipline beats heroics. A documented monthly patching process costs less and reduces risk more than emergency response to a breach.
- Cyber insurance depends on it. Insurers now ask specific patching SLA questions. Documented evidence reduces premiums.
- Customer contracts increasingly require it. Patching SLA clauses appear in supplier agreements above a certain contract value. Being ready means winning the contract.
- Regulatory exposure is rising. Cyber Essentials Plus, NIS2, and DORA all reference patching cadence. Compliance is the floor, not the ceiling, but the floor still matters.
The cost of a documented patching process is low. The cost of not having one, when it’s asked for during an audit or after an incident, is high.
What this means for your business
Three things this week.
- Identify your on-premises domain controllers. Apply this month’s Windows Server cumulative update within 48 hours. One update per Server version covers the Netlogon fix and everything else.
- Roll out the May cumulative update to an endpoint test ring tomorrow. Confirm BitLocker keys are accessible before production deployment.
- Audit your patching backlog. If anything is more than three months behind, address that before the next Patch Tuesday lands.
This isn’t a panic month. It’s a maintenance month. Treat it that way, and finish it on time.
Sources
| Source | Article |
|---|---|
| Microsoft Security Response Center | A note on this month’s Patch Tuesday |
| Microsoft Security Update Guide | May 2026 Security Updates release notes |
| Microsoft Support | May 12, 2026 KB5087544 (Windows 10 ESU release notes) |
| The Register | Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs |
| BleepingComputer | Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days |
| BleepingComputer | Microsoft releases Windows 10 KB5087544 extended security update |
| BleepingComputer | Windows 11 KB5089549 and KB5087420 cumulative updates released |
| SC Media | Patch Tuesday: No zero days among 137 Microsoft CVEs, 4 Word RCEs |
| Cisco Talos | Microsoft Patch Tuesday for May 2026: Snort rules and prominent vulnerabilities |
| SANS Internet Storm Center | Microsoft May 2026 Patch Tuesday |
| Qualys | Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review |
| Cyber Daily | Op-Ed: Microsoft May Patch Tuesday reveals 137 vulnerabilities |
| CyberScoop | Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday |