Patch [Fix] Tuesday: May 2026

On the surface, this is the quietest Patch Tuesday Microsoft has shipped in a while. Zero actively exploited, zero publicly disclosed at release, and a net-new CVE count that comes in below the four-month average for 2026. Look at the headline and you'd think we caught a break.

We didn't.

The interesting story this month isn't in Microsoft's release notes. It's in what happened between the April and May patch cycles, what Apple shipped the day before, and who's showing up in the acknowledgement sections.

For the full breakdown, listen to the Patch [FIX] Tuesday podcast.

April's Patch Tuesday created a domain controller reboot loop on multi-domain forests running Privileged Access Management (PAM). Microsoft shipped out-of-band cumulative updates on April 19, one for each supported Windows Server SKU. A large set of Chromium fixes followed.

Two days later, Microsoft shipped a .NET 10.0.7 out-of-band release for CVE-2026-40372, an ASP.NET Core Data Protection Elevation of Privilege bug rated critical at CVSS 9.1. The managed authenticated encryptor was computing its HMAC tag over the wrong bytes of the payload, which let an attacker forge authentication cookies and gain SYSTEM-level access. That fix rolls into today's cumulative update, but anyone running ASP.NET Core apps needed it three weeks ago. The patch alone is not enough. Data protection keys issued during the exposure window have to be rotated. Tokens forged before the key ring rotates stay valid until it does.

Then came Linux. Copy-Fail (CVE-2026-31431) landed at the end of April. Dirty Frag (CVE-2026-43284 and CVE-2026-43500) followed in early May. Both chain to root on every major distribution in production. We covered Dirty Frag in detail on episode 31 of the Patch Fix Tuesday podcast.

When I say May Patch Tuesday is quiet, I mean the May 12 box of CVEs is quiet. The month has not been quiet.

Windows Netlogon remote code execution vulnerability

CVE-2026-41089 (CVSS 9.8/10) is a stack-based buffer overflow in Windows Netlogon. An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required. If you've been doing this long enough, the description language sounds sadly familiar.

I'd be careful drawing a direct line to Zerologon. The underlying bug is a stack overflow, not a crypto protocol flaw, and Microsoft has not labeled this one as wormable. The mechanism is different, but the blast radius is still ugly when you're talking about pre-auth code execution on a domain controller.

How attackers may exploit this vulnerability

• An unauthenticated attacker on the same network as a domain controller sends a crafted Netlogon request that triggers the stack overflow.

• Successful exploitation gives the attacker code execution on the DC itself, which collapses the trust boundary for the entire forest.

• Inside an already-compromised perimeter, this becomes a fast path to forest-wide takeover.

What to look out for

• Unexpected crashes or service restarts on the Netlogon service across your domain controllers.

• Anomalous Netlogon traffic patterns from non-DC source addresses, particularly bursts of malformed requests.

• Authentication failures or domain trust errors immediately after suspicious network activity hitting a DC.

Mitigation guidance

• Patch all domain controllers in the same maintenance window. Half-patched forests are not a defensible state for a pre-auth DC bug.

• Restrict Netlogon traffic at the network layer. Domain controllers do not need to accept Netlogon from arbitrary segments.

• Review your DC exposure. Any path that lets unauthenticated traffic reach a DC needs to be on your same-week remediation list until this is patched.

Windows DNS client remote code execution vulnerability

CVE-2026-41096 (CVSS 9.8/10) is a heap overflow in the Windows DNS client, triggered by a malicious DNS response. Any Windows host issuing a DNS query is potentially in scope, which includes every workstation sitting behind a compromised resolver.

The Netlogon flaw and this DNS client flaw are the two at the top of my list this month. Neither needs internet reachability to matter. Once an attacker is inside your perimeter, a bug like this turns initial access into lateral movement and privilege escalation in the same afternoon.

How attackers may exploit this vulnerability

• A compromised or attacker-controlled DNS resolver returns a malicious response that triggers the heap overflow in the client.

• Man-in-the-middle attackers on the network path can intercept and rewrite DNS responses to deliver the exploit.

• Any client that performs DNS lookups, including servers, workstations, and DNS-aware services, is in scope.

What to look out for

• Unexpected DNS client crashes on Windows endpoints.

• Endpoints resolving names through resolvers that are not in your approved list.

• DNS responses with anomalously large payloads or unusual record types showing up in network telemetry.

Mitigation guidance

• Patch all Windows endpoints, not just servers. Workstations issuing DNS queries are exposed.

• Lock client DNS configuration to trusted, authenticated resolvers. Block unauthorized DNS traffic at the egress point.

• If you operate split-horizon DNS, audit which clients use which resolver and make sure no client falls back to an untrusted path.

Hyper-V guest-to-host elevation of privilege

CVE-2026-40402 (CVSS 9.3/10) is a Hyper-V guest-to-host escalation with a scope change to system on the host. Microsoft's FAQ confirms that a low-privilege guest VM can traverse the security boundary into the host environment.

Multi-tenant VDI, on-premises virtualization with untrusted workloads, or any Hyper-V host running guests you don't fully control. Same-week, same-day patch depending on what's on top of it.

How attackers may exploit this vulnerability

• A low-privilege account inside a guest VM exploits the vulnerability to execute code on the host with system-level privileges.

• One compromised guest becomes a pivot point for every other VM on the same host and the host fabric itself.

• Hosted desktop environments and shared virtualization platforms are the highest-priority targets.

What to look out for

• Guest VMs spawning unexpected host-side processes or initiating outbound connections from the host that don't trace to a known workload.

• Unusual Hyper-V service errors or hypervisor logs showing privilege transitions that don't match scheduled activity.

• Tenants reporting cross-tenant data exposure or unexpected access in shared virtualization environments.

Mitigation guidance

• Patch Hyper-V hosts on the same cycle as your domain controllers. Treat them as Tier-0 infrastructure.

• Segment guest workloads by trust level. Untrusted or internet-exposed guests do not belong on the same host as critical workloads.

• Review your guest privilege model. Low-privilege guest users should not be able to load arbitrary drivers or perform operations that interact with the hypervisor surface.

Microsoft shipped a cluster of critical remote code execution flaws across Office and Word this month. All are reachable through the preview pane, which means the user doesn't have to open the file. Rendering the message is enough.

A subset is on Microsoft's "exploitation more likely" list. That's the click-to-own shape that lights up initial access campaigns. The vector is the same across the block, the surface is the same, and the patching cadence should be the same.

A separate SharePoint Server block ships this month with remote code execution flaws including CVE-2026-40365 at CVSS 8.8. April already burned a SharePoint zero-day. On-premises SharePoint farms remain one of the harder enterprise surfaces to defend, and any internet-facing farm warrants an emergency change window for this block.

Microsoft shipped a sizeable cluster of CVEs in the Windows TCP/IP stack this month. Most require a specific condition to trigger. The headline one, CVE-2026-40415, needs sustained memory pressure that Microsoft describes as "not commonly present in normal operations." That's probably good news for most environments, and probably not great news if you run a high-volume edge.

Treat the TCP/IP block as a single triage line rather than a dozen separate stories. The patches are bundled, the conditions rhyme with each other, and the deployment plan is the same.

Apple released macOS Tahoe 26.5 on May 11, the day before Microsoft's drop. One item in it earned an immediate reboot on every Apple device I manage.

CVE-2026-28819 Critical]

Wi-Fi kernel remote code execution

CVE-2026-28819 is a kernel-level Wi-Fi RCE. Apple's description is direct: "an app may be able to execute arbitrary code with kernel privileges." It's an out-of-bounds write in the Wi-Fi stack, credited to Wang Yu.

Kernel RCE is the worst kind of fix to delay. There is no privilege boundary left to hide behind. Wi-Fi stacks are habitually scanning for access points even when connected, which means the attack surface isn't gated by whether you've joined a hostile network. Anyone with a rogue access point in range is potentially a problem.

Patch your Mac fleet. Don't wait on this one.

Kernel, WebKit, and CUPS

Beyond the Wi-Fi flaw, the kernel block contains a set of memory corruption bugs that grant root, plus a Gatekeeper bypass through a malicious disk image. The WebKit block is the largest browser-engine surface I've seen from Apple this year. Use-after-frees, content security policy bypasses, type confusions, and memory safety issues.

WebKit is the standard initial access vector for macOS implants right now. It's the half of the release that attackers care about most. And WebKit isn't just Safari. It renders mail messages and powers every embedded web view that an app uses. You don't have to be a Safari user to be exposed. Using anything on macOS or iOS exposes you.

CUPS, Storage Kit, and a User Account Updater info leak round out the local privilege escalation set. These are mostly chained off an initial foothold, but each one is a privilege escalation in its own right.

macOS in the enterprise is no longer a developer-laptop story. It's executive endpoints, finance, and increasingly entire workforces. Apple's patch cadence is less disciplined than Windows. Releases land when they land, and Apple has a habit of bundling all security content into one monolithic update. Run Apple patches on the same rhythm you run Windows patches.

We did a full deep dive on Dirty Frag in episode 31 of the Patch Fix Tuesday podcast and in the Dirty Frag response post, so we won't recover everything here.

• Copy-Fail (CVE-2026-31431) is a Linux kernel local privilege escalation disclosed at the end of April. The proof of concept is a tiny Python script that gets root on every major Linux distribution shipped since 2017. CISA added it to the Known Exploited Vulnerabilities catalog within the first week. The mitigation is to disable the algif_aead kernel module.

• Dirty Frag (CVE-2026-43284 and CVE-2026-43500) is a separate Linux kernel local privesc chain. No race condition. Reliable across Ubuntu, Red Hat Enterprise, AlmaLinux, CentOS, openSUSE, Fedora, and others. It went public ahead of schedule because of third-party broken embargo. At the time of disclosure, CVE-2026-43500 still had no patch in any tree.

These are two separate issues. Disabling algif_aead for Copy-Fail does not protect you against Dirty Frag. Dirty Frag's mitigation blocks a different set of modules (esp4, esp6, ipcomp4, ipcomp6, and rxrpc).

Automox customers have one-click Worklets for both in the catalog. For everyone else, we've published mitigation Worklets on GitHub so you can run them without an Automox subscription.

Microsoft credits AI-assisted vulnerability research by name on multiple CVEs this release. Not "we used a tool" hand-wave language. Specific firms and specific researchers, including Anthropic researchers credited by name on a critical Windows RCE that shipped in today's update.

The Microsoft credits include:

• CVE-2026-40403 (Windows graphics component RCE, CVSS 8.8). Heap overflow in win32k. Credited to Calif.io and Milad Nasr at Anthropic with Claude.

• CVE-2026-40369 (Windows kernel EoP), on the exploitation-more-likely list. Credited independently to two AI-assisted teams: Calif.io with Claude and Anthropic Research, and Adrian Denkiewicz at Doyensec with Anthropic Research. Two separate AI-assisted teams converged on the same bug.

• CVE-2026-40398 (Remote Desktop Services EoP), on the exploitation-more-likely list. Calif.io with Claude and Anthropic.

• CVE-2026-40377 (Cryptographic Services EoP). Bruce Dang with Calif.io.

• CVE-2026-40380 (Volume Manager Extension Driver RCE). Calif.io with Claude and Anthropic.

• CVE-2026-33841 (Windows kernel EoP), on the exploitation-more-likely list. Andrew Fasano at the NIST Center for AI Standards and Innovation.

Apple's Tahoe 26.5 release also credits Calif.io across multiple components. The Linux disclosures around Copy-Fail were attributed to Theori using their Xint Code AI platform. Theori's writeup says Copy-Fail surfaced after about an hour of AI scan time against the Linux crypto subsystem, with one operator prompt and no harnessing. One hour of scan time produced a logic flaw that survived nine years of human review and millions of automated tests.

This is the first month I can remember where Linux, macOS, and Windows have all disclosed AI-assisted vulnerability research by name in the same cycle. And it's almost certainly an undercount, because Anthropic launched Project Glasswing earlier this year with a set of initial partners including Apple, Microsoft, Amazon, Cisco, and Google.

Not every partner will credit by name on every advisory. Some will patch silently.

The category that's surfacing fastest is privilege escalation in low-level components. Kernels, drivers, graphics stacks, crypto services. Those are the post-exploitation primitives attackers chain off initial access. The bread and butter of every targeted intrusion for the last 20 years.

I've been calling this frontier-pace governance, and May is the first month where the evidence speaks for itself. The bugs are getting found faster. Exploits are getting weaponized faster. The window between disclosure and active exploitation keeps shrinking. None of that changes what defenders need to do. It changes how fast we need to do it.

The cost of being slow used to be a 30-day window where you bet no attacker would weaponize a given bug. Automated exploitation at scale has been a thing for years. AI-assisted research is shrinking the discovery side of that same curve. The patch cycle is now a race, and as a community we've been a little too comfortable losing it.

Governance has to match execution. Posture updates have to be continuous, not quarterly.

The quiet Microsoft headline this month is misleading. April was loud. Off-cycle activity in late April and early May was louder. Apple and Linux both shipped serious work in the last 30 days. May is not actually quiet.

Patch your domain controllers. Patch your kernels. Patch Tahoe 26.5 across your Mac fleet. Patch any internet-facing SharePoint farms. Verify your Copy-Fail and Dirty Frag mitigations cover both module sets, because they are not the same fix. If you run ASP.NET Core, you should already be on 10.0.7 with data protection keys rotated.

Don't let the zero-exploited, zero-disclosed line on Microsoft's release notes change your cadence.

• Microsoft Security Response Center – May 2026 Security Updates – Full list of May 2026 Patch Tuesday advisories and CVSS scores

• Apple Security Releases – macOS Tahoe 26.5 – Apple's published security content for the May 11 release

• CISA – Known Exploited Vulnerabilities Catalog – Authoritative tracker for actively exploited CVEs

• NIST – Center for AI Standards and Innovation – Federal AI safety research center credited on a Windows kernel EoP this cycle

• Theori – Xint Code – Technical writeup on the AI-assisted Copy-Fail discovery

• Anthropic – Project Glasswing – Anthropic's partner program for AI-assisted vulnerability research in foundational software