All new patches will be approved in our patch policy.

 

This month’s releases address 120 security vulnerabilities without any zero-day patches. Of the 17 critical flaws, 14 are remote code execution, 2 are elevation of privilege.

• CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
• CVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single Sign-On Plugin for Jira and Confluence.
• CVE-2026-41096 is a Windows DNS Client remote code execution vulnerability.
• CVE-2026-40402 is an elevation of privilege vulnerability affecting Windows Hyper-V.
• June 26, 2026 is Secure Boot certificate expiration deadline.
• Server 23H2 reaches end of life this month.
• New SSU for Windows 10 1607/Server 2016.

This is the first Patch Tuesday in almost two years without any exploited zero-day flaws. While this is encouraging, the future of patching is changing rapidly. Read “A note on this month’s Patch Tuesday” below for Microsoft’s forecast.

 

Disclosed: None

Exploited: None

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:3/1/2018 | Last Updated: 5/12/2026)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

 

Heads Up!

Windows Secure Boot certificate expiration

Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates and the Windows Server Secure playbook blog.

Windows Secure Boot certificate expiration and CA updates

https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

 

End of updates Windows Server 23H2

As of the May 2026 security update, Windows Server, version 23H2 is no longer supported for monthly security and quality updates.

End of updates statement

https://support.microsoft.com/en-gb/topic/end-of-updates-statement-49646eb1-b01b-487d-9521-28147459eb8e

 

FYI “A note on this month’s Patch Tuesday”

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-note-on-patch-tuesday

 

Known Issues

No new known issues reported by Microsoft. The BitLocker recovery key prompt on the first restart issue persists. The domain controller multiple restart issue was fixed with an out-of-band patch on April 19th.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5087471 – Windows Server 2012 R2 (ESU)
• KB5087470 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5087544 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
• KB5087544 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)

(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

• KB5087420 – 23H2 (OS Build 22631)
• KB5089549 – 24H2 (OS Build 26100)
• KB5089549 – 25H2 (OS Build 26200)
• KB5089548 – 26H1 (OS Build 28000)

(Version 21H2,22H2 are no longer under support)

 

Windows Server

• KB5087537 – Server 2016 (EOS January 2027)
• KB5087538 – Server 2019 (EOS January 2029)
• KB5087545 – Server 2022 (OS Build 20348)
• KB5087541 – Server 23H2 (OS Build 25398)
• KB5087539 – Server 2025 (OS Build 26100)

 

May 2026 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/may-2026-updates-for-microsoft-office-7a3bbf98-0bdb-44d9-a7a3-a3d120116e93

 

Notable CVEs

 

CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40402

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

 

CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41089

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.

 

CVE-2026-41096 | Windows DNS Client Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41096

Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication.

 

CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41103

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network. An attacker who successfully exploited this vulnerability could bypass authentication and gain unauthorized access to Jira or Confluence as a valid user. This may allow the attacker to view or modify content and perform actions with the same permissions as the compromised account, based on the authorization levels defined for that user within the Jira or Confluence server.