Microsoft's May Patch Tuesday Fixes Up to 138 Security Flaws — Here's Why You Need to Update Now
If Windows has been nudging you to install updates and you've been clicking "Remind me later," this is your sign to stop putting it off. Microsoft's May 2026 Patch Tuesday is one of the largest monthly security releases in recent memory — and several of the flaws it fixes are the kind that let attackers take over your PC without you clicking anything suspicious.
Here's a plain-English breakdown of what was patched, why it matters, and exactly how to install the updates on your Windows machine.
How Big Is This Month's Patch Tuesday?
Very big. The Hacker News reports that Microsoft patched 138 security vulnerabilities across its product portfolio this month — 30 rated Critical, 104 rated Important, and the remainder Moderate or Low. (Other sources report slightly different counts; Malwarebytes Labs cites 137, while PCWorld focuses on 120 Windows and Office fixes, with additional Edge and Chromium patches bringing the total higher.) PCWorld notes this is an unusually high number even by Patch Tuesday standards, possibly motivated in part by the Pwn2Own hacking competition that kicked off in Berlin on May 14th.
The good news: according to Malwarebytes Labs, none of the vulnerabilities are currently being actively exploited in the wild. There are no zero-days this month. That gives you a window to patch before attackers start reverse-engineering the fixes to build exploits — but that window doesn't stay open forever.
According to The Record, Microsoft has now patched more than 500 vulnerabilities in just the first five months of 2026 and is on pace to break its own annual record. A significant driver: Microsoft's own AI-powered vulnerability discovery system, codenamed MDASH, which found 16 of the flaws patched this month — including four rated Critical — without any human researcher identifying them first.
The Flaws You Should Know About
1. Windows DNS Client — CVE-2026-41096 (CVSS 9.8)
This is arguably the most alarming patch in the batch. The Hacker News describes it as a heap-based buffer overflow in the Windows DNS Client, meaning an attacker who controls a DNS server can send a specially crafted response to virtually any Windows PC and execute code remotely — without authentication. As PCWorld points out, the DNS client runs on nearly every Windows machine, making this an extremely wide-reaching threat.
2. Windows Netlogon — CVE-2026-41089 (CVSS 9.8)
This one targets business networks specifically. The Record explains that the Netlogon flaw — a stack-based buffer overflow — can be triggered by a specially crafted network request sent to a Windows server acting as a domain controller. An attacker doesn't need credentials; they just need network access to potentially run arbitrary code on a server that manages authentication for your entire office.
For any Yuba City small business running Windows Server in-house, this one deserves immediate attention.
3. Microsoft Word — CVE-2026-40361 (CVSS 8.4)
You don't even have to open the file. Malwarebytes Labs flags this as a critical use-after-free vulnerability in Microsoft Word where simply previewing a malicious document in the preview pane can allow an attacker to execute code with your current user's privileges — enough to install malware, steal credentials, or move across a network. [
