Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

TL;DR

Microsoft's May 2026 Patch Tuesday fixes 120 flaws across Windows, Office, and other products, with no zero-days disclosed for the first time in three months. This marks a significant shift in Microsoft's vulnerability landscape, but admins must still prioritize four critical-rated bugs that could enable remote code execution without authentication.

What Happened

Microsoft released its May 2026 Patch Tuesday update on Tuesday, May 12, addressing 120 security vulnerabilities — the largest single-month patch count of the year so far — while reporting zero zero-day vulnerabilities exploited in the wild, breaking a streak of consecutive months with active exploits since February 2026.

Key Facts

• 120 total vulnerabilities were patched, including 4 rated Critical and 116 rated Important, with none classified as Moderate or Low.
• The four Critical bugs all involve Remote Code Execution (RCE) in Windows LDAP, Windows TCP/IP, Microsoft Exchange Server, and Windows Graphics Component.
• No zero-days were disclosed, the first zero-day-free Patch Tuesday since January 2026, when 98 flaws were fixed with two zero-days.
• Exchange Server received a Critical RCE patch (CVE-2026-20242) affecting Exchange Server 2019 and 2022, with a CVSS score of 9.1 out of 10.
• Windows LDAP (CVE-2026-20238) earned a 9.8 CVSS rating, making it the highest-severity bug this month, exploitable over the network without authentication.
• Windows TCP/IP (CVE-2026-20240) affects all supported Windows versions from Windows 10 21H2 through Windows Server 2025, enabling wormable attacks.
• Microsoft Office received 12 Important-rated patches, including fixes for Excel, Word, and SharePoint, with one information disclosure bug rated 8.5 CVSS.

Breaking It Down

The absence of zero-days in May 2026 is the most notable headline, but it should not lull administrators into complacency. Microsoft has shipped patches for zero-days in seven of the past twelve months, and the May 2026 count of 120 flaws is 20% higher than the 2025 monthly average of 100. The company's vulnerability disclosure pipeline is accelerating, not slowing down, even when no exploits are active.

The Windows LDAP vulnerability (CVE-2026-20238) carries a 9.8 CVSS score — the highest possible for a network-based RCE — and requires no user interaction and no authentication to exploit. This is the most dangerous class of bug Microsoft patches: a wormable, pre-auth remote code execution in a core network protocol.

LDAP (Lightweight Directory Access Protocol) is foundational to enterprise Active Directory environments. An attacker who exploits CVE-2026-20238 could take control of a domain controller simply by sending a crafted packet to port 389 or 636. The 9.8 CVSS rating places this bug in the same severity tier as the infamous BlueKeep (CVE-2019-0708) and EternalBlue (MS17-010) vulnerabilities, both of which spawned global ransomware epidemics. Organizations running any Windows Server with Active Directory must treat this patch as emergency-level and deploy it within 48 hours, not the typical 30-day cycle.

The Exchange Server patch (CVE-2026-20242, CVSS 9.1) is equally urgent for the estimated 85,000 on-premises Exchange servers still active globally, according to Shodan telemetry. Microsoft has been aggressively pushing customers to Exchange Online since the ProxyLogon and ProxyShell incidents of 2021 and 2023, yet a significant tail of on-premises deployments remains. This bug affects Exchange Server 2019 CU14 and Exchange Server 2022 CU6, requiring immediate testing on non-production systems before production rollout. Unlike the LDAP bug, this Exchange flaw requires authentication, but its 9.1 CVSS score indicates that the authentication bypass mechanism is trivial for a determined attacker.

What Comes Next

1. Emergency patching for LDAP and Exchange — Microsoft is expected to release an out-of-band advisory within 7–10 days if any of the four Critical bugs see active exploitation. CISA will likely add CVE-2026-20238 to its Known Exploited Vulnerabilities catalog if proof-of-concept code emerges on GitHub or exploit forums.
2. June 2026 Patch Tuesday preview — Microsoft will publish the advance notification for June's patches on June 9, 2026, with the full release on June 16, 2026. Analysts expect a return to zero-days, given the historical pattern of one or two active exploits per month.
3. Exchange Server end-of-life milestones — Exchange Server 2019 reaches end of mainstream support on October 14, 2026, meaning this May patch may be among the last for that product line. Organizations still on 2019 should finalize migration plans to Exchange 2022 or Exchange Online before year-end.
4. Windows 10 21H2 end-of-life — Windows 10 21H2 (Enterprise, Education, and IoT Enterprise) reaches end of service on June 14, 2026, meaning this May patch is the penultimate update for that version. Systems still running 21H2 will stop receiving security fixes in 33 days.

The Bigger Picture

This Patch Tuesday underscores two converging trends: Vulnerability Volume Inflation and On-Premises Attrition. Microsoft is patching more flaws than ever — 120 in a single month would have been unthinkable in 2020, when monthly averages hovered around 80. The company's expanding product surface, including Azure, Edge, and Microsoft 365 apps, drives this growth. Simultaneously, Microsoft is systematically increasing the cost and complexity of maintaining on-premises infrastructure, as seen in the Exchange Server and Windows Server bugs. The message is clear: migrate to cloud services or accept escalating patch burdens.

The second trend is Zero-Day Cyclicality. After three consecutive months with zero-days (February through April 2026), May's clean slate may indicate that attackers are stockpiling exploits or that Microsoft's internal discovery processes are improving. However, the 120-flaw volume suggests the former is more likely: threat actors are waiting for the most opportune moment to deploy their zero-days, possibly aligned with geopolitical events or major ransomware campaigns.

Key Takeaways

• [Patch Urgency]: Deploy the Windows LDAP (CVE-2026-20238) and Exchange Server (CVE-2026-20242) patches within 48 hours due to their 9.8 and 9.1 CVSS scores and network-based attack vectors.
• [Zero-Day Gap]: May 2026 is the first zero-day-free month since January 2026, but the 120-flaw count is 20% above the 2025 average, indicating no slowdown in vulnerability discovery.
• [Exchange Deadline]: Exchange Server 2019 reaches end of mainstream support on October 14, 2026; this May patch may be among the last critical updates for that version.
• [Windows 10 EOL]: Windows 10 21H2 hits end of service on June 14, 2026, meaning only one more Patch Tuesday remains for that version before security updates cease.