May 2026 Windows Update — 120 Fixes and No Zero-Days, Install It Anyway

Microsoft's monthly security patch landed yesterday. 120 fixes. Thirty Critical. And for the first time since mid-2024, not a single one was being exploited before the patch dropped. Sounds like a quiet month. It isn't.

No zero-days this month

Every Patch Tuesday from mid-2024 through April this year included at least one vulnerability attackers were already using. This month breaks the streak.

That doesn't mean you can sit on it. Patches are public now. Attackers reverse-engineer what changed and target anyone who hasn't updated. The gap between patch release and first exploit keeps getting shorter.

The worst of the bunch

• CVE-2026-40361 (and three related), Microsoft Word. Remote code execution through the Preview Pane in File Explorer and Outlook. You don't have to open the document. Just preview it. Two of the four are rated "Exploitation More Likely" by Microsoft.
• CVE-2026-41089, Windows Netlogon. CVSS 9.8. Wormable buffer overflow in domain authentication. No credentials needed. If you run a business network with a domain controller, this is the one. For home users it's less direct, but flaws like this end up in ransomware toolkits fast.
• CVE-2026-41096, Windows DNS Client. CVSS 9.8. A crafted DNS response triggers a buffer overflow. Every Windows PC makes DNS queries constantly, so the attack surface is basically every machine on every network.

The Word flaws are the ones most likely to reach normal people. Weaponised documents by email, the preview pane does the rest. If you use Outlook, get this patch on.

How to install

1. Settings → Windows Update
2. Check for updates
3. Wait 10-30 minutes
4. Restart when prompted, not two days later

Bonus: Paint is a security risk now

One that caught my eye: CVE-2026-35421. Open a dodgy image file in Microsoft Paint and an attacker can run code on your machine. Paint. The program you crop screenshots in. It's fixed now, but the fact Paint needed a security patch says something about how much old code is still ticking away inside Windows.

Windows 10 (if you're still there)

This month's Windows 10 patch is KB5087544. You only get it if you're on the free Extended Security Updates programme. See the Windows 10 end-of-life guide for how to enrol. Free ESU expires October 2026. After that it's pay or upgrade.

If Windows Update itself is broken

A PC that can't update can't protect itself. The usual culprits are low disk space, corrupted update files, or another antivirus clashing with Defender. I've covered the fixes in my common PC problems post. If storage is the bottleneck, speeding up a slow Windows 11 PC has that covered too. If none of that works, broken updates are one of the most common computer repairs I do.

For the full technical breakdown, Bleeping Computer covers every CVE and Krebs on Security has the analysis of which ones matter most.

Mark

Mark has been fixing computers since the late '90s and went self-employed in 2008. Based in St Helens since 2013, he works evenings and weekends from his home in Laffak — friendly, affordable repairs for PCs, laptops, and Macs. See reviews on Google