Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
Microsoft’s May 2026 Patch Tuesday patched 138 vulnerabilities in a single release. That is a number that gives pause even for people accustomed to these cycles.
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client. Curiously, in 2026, the Telnet client still needs a security patch.
30 of these bugs are rated Critical. The rest range from Important down to Moderate and Low. None of them, at the time of release, were listed as publicly known or already being exploited in the wild. That is worth something, even if it is not a reason to relax.
It is also worth noting that this wave of fixes lands just days before Pwn2Own Berlin, the international competition where security researchers race to find and exploit vulnerabilities in widely used systems. Vendors routinely accelerate their release cycles ahead of the event to shrink the exposed surface. The unusually high volume of submissions this month likely also reflects the growing role of AI in vulnerability research, even if only in drafting the reports.
Here are the bugs that deserve immediate attention, followed by a broader list of the most significant flaws this month.
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction. Because the DNS client runs on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.
A critical Windows Netlogon flaw could let unauthenticated attackers remotely execute code on domain controllers using crafted network requests. The bug requires no credentials or user interaction and carries a CVSS score of 9.8. Because it is potentially wormable, a successful attack could compromise an entire Windows domain, making it one of the most urgent patches in the latest security updates.
A critical code injection flaw in Microsoft Dynamics 365 On-Premises received a rare CVSS score of 9.9. The vulnerability includes a scope change, meaning attackers could impact resources beyond the targeted component after successful exploitation. Because such flaws are uncommon and potentially severe, organizations running on-premises Dynamics 365 should prioritize patching immediately.
A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue. However, exploitation would require sustained memory pressure on the target system, which makes real-world attacks less likely. Microsoft also patched two Word vulnerabilities that can trigger simply through the Preview Pane, without users opening a malicious document. Security researchers say patching remains the most effective defense against these threats.
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898 (CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution. Code injection with scope change; any authenticated user can break out and affect resources beyond the vulnerable component.
CVE-2026-41089 (CVSS score of 9.8) — Windows Netlogon Remote Code Execution. Stack-based buffer overflow allowing unauthenticated RCE on domain controllers. Wormable. Patch immediately.
CVE-2026-41096 (CVSS not disclosed) — Windows DNS Client Remote Code Execution. Heap overflow triggered by a malicious DNS response. No authentication or user interaction required. Enormous attack surface.
CVE-2026-40415 (CVSS not disclosed) — Windows TCP/IP Remote Code Execution. Use-after-free in the TCP/IP stack; unauthenticated, no user interaction, technically wormable but requires rare memory pressure conditions.
CVE-2026-41103 (CVSS Critical) — Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege. Incorrect implementation of the authentication algorithm; rated as exploitation more likely.
CVE-2026-40364 (CVSS score of 8.4) — Microsoft Word Remote Code Execution. Type confusion bug; exploitable via Preview Pane without opening the document.
CVE-2026-40361 (CVSS score of 8.4) — Microsoft Word Remote Code Execution. Use-after-free; same Preview Pane attack vector as above, no file interaction required.
CVE-2026-41103 class (CVSS High) — Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows TCP/IP, Windows Cloud Files Mini Filter Driver — multiple privilege escalation issues across these components rated as exploitation more likely.
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities. Security experts recommend prioritizing these flaws due to their high impact and low user interaction requirements, while applying the remaining updates as quickly as possible through normal patch cycles.
The full list of CVEs addressed by Microsoft Patch Tuesday for May 2026 is available here.
The first time I encountered mesh Wi-Fi was when I went to university. One Wi-Fi password, but no matter where you roamed on campus you’ll stay connected. I’ve always thought of mesh networks as enterprise technology that you need an IT department to handle, but then router makers figured out how to make mesh easy enough for mere mortals.
Now I consider a mesh network the default for everyone, and if you’re still using a single non-mesh router you might want to know why. So let me explain.
Quiz
8 Questions · Test Your Knowledge
Home Networking & Wi-Fi
Think you know your routers from your repeaters — put your home networking know-how to the ultimate test.
Wi-FiRoutersSecurityHardwareProtocols
What does the ‘5 GHz’ band in Wi-Fi offer compared to the ‘2.4 GHz’ band?
That’s right! The 5 GHz band delivers faster data rates but loses signal strength more quickly over distance and through walls. It’s ideal for devices close to the router that need maximum throughput, like streaming 4K video.
Not quite — the 5 GHz band actually offers faster speeds at the cost of range. The 2.4 GHz band travels farther and penetrates obstacles better, which is why smart home devices and older gadgets often prefer it.
Which Wi-Fi standard, introduced in 2021, is also known as Wi-Fi 6E and extends into a new frequency band?
Correct! 802.11ax is the technical name for Wi-Fi 6 and Wi-Fi 6E. The ‘E’ variant extends the standard into the 6 GHz band, offering a massive swath of new, less-congested spectrum for faster and more reliable connections.
The answer is 802.11ax — that’s Wi-Fi 6 and Wi-Fi 6E. Wi-Fi 6E adds support for the 6 GHz band, giving it far less congestion than the crowded 2.4 GHz and 5 GHz bands. 802.11be is actually the upcoming Wi-Fi 7 standard.
What is the default IP address most commonly used to access a home router’s admin interface?
Spot on! The vast majority of consumer routers use either 192.168.0.1 or 192.168.1.1 as the default gateway address. Typing either into your browser’s address bar will bring up the router’s login page — just make sure you’ve changed the default password!
The correct answer is 192.168.0.1 or 192.168.1.1. These are the most common default gateway addresses for home routers. The 255.x.x.x addresses are subnet masks, and 127.0.0.1 is your own machine’s loopback address, not a router.
Which Wi-Fi security protocol is considered most secure for home networks as of 2024?
Excellent! WPA3 is the latest and most robust Wi-Fi security protocol, introduced in 2018. It uses Simultaneous Authentication of Equals (SAE) to replace the older Pre-Shared Key handshake, making it far more resistant to brute-force attacks.
The answer is WPA3. WEP is completely broken and should never be used, WPA is outdated, and WPA2 with TKIP has known vulnerabilities. WPA3 offers the strongest protection, and if your router supports it, you should enable it right away.
What is the primary difference between a mesh Wi-Fi system and a traditional Wi-Fi range extender?
Exactly right! Mesh systems use multiple nodes that talk to each other intelligently, handing off your device seamlessly as you move around your home under one SSID. Traditional range extenders typically broadcast a separate network and can cut bandwidth in half as they relay the signal.
The correct answer is that mesh nodes form one intelligent, seamless network. Range extenders are actually the ones that often create separate SSIDs (like ‘MyNetwork_EXT’) and can significantly reduce speeds. Mesh systems are far superior for large homes with many devices.
What does DHCP stand for, and what is its main function on a home network?
Perfect! DHCP (Dynamic Host Configuration Protocol) is the unsung hero of home networking. Every time a device joins your network, your router’s DHCP server automatically hands it a unique IP address, subnet mask, and gateway info so it can communicate without manual configuration.
DHCP stands for Dynamic Host Configuration Protocol, and its job is to automatically assign IP addresses to devices on your network. Without it, you’d have to manually configure a unique IP address on every single phone, laptop, and smart device — a tedious nightmare!
What is ‘QoS’ (Quality of Service) used for in a home router?
That’s correct! QoS lets you tell your router which traffic gets priority. For example, you can prioritize video calls or gaming over a family member’s file download, ensuring your Zoom meeting doesn’t freeze just because someone is downloading a large update.
QoS — Quality of Service — is actually about traffic prioritization. By tagging certain data types (like VoIP calls or gaming packets) as high priority, your router ensures latency-sensitive applications get bandwidth first, even when the network is congested.
What does the ‘WAN’ port on a home router connect to?
Correct! WAN stands for Wide Area Network, and the WAN port is where your router connects to the outside world — typically to your cable modem, DSL modem, or ISP gateway. The LAN ports on the other side connect to devices inside your home network.
The WAN (Wide Area Network) port connects your router to your ISP’s modem or gateway — essentially your entry point to the internet. The LAN (Local Area Network) ports are for connecting devices inside your home. Mixing them up can cause your network to not function at all!
Challenge Complete
Your Score
/ 8
Thanks for playing!
Mesh Wi-Fi solves a problem most homes already have
The internet is no longer confined to one spot in your home
In the early days of home internet, there was no real reason to have Wi-Fi coverage all over your home. You installed the router in your home office, or near the living room, and that was enough. People didn’t have smartphones, tablets, or smart home devices that all needed access to the LAN.
As Wi-Fi devices proliferated, that central router became a problem. There’s only so much power you can push into the antennas, and the inverse square law drains that signal of power in very short order.
It was a problem that had many suboptimal solutions. Wi-Fi repeaters destroy performance, access points need long Ethernet runs, and Powerline Ethernet only works well in ideal conditions. Most older homes can’t provide that with their aging wiring. In short, trying to expand a central router’s reach has usually involved some janky mishmash of solutions.
A modern mesh router kit just solved that problem without any fuss. The biggest problem you’ll have is how to position them. Everything else is usually just handled automatically.
Brand
eero
Range
1,500 sq. ft.
Mesh Network Compatible
Yes
The eero 6 mesh Wi-Fi router allows you to upgrade your home network without breaking the bank. Compatible with the wider eero ecosystem, you’ll find that this node can either start or expand your wireless network with ease.
Mesh systems prioritize consistency over peak speed
Good enough internet everywhere
Credit: Jordan Gloor / How-To Geek
I think it’s important to point out that with Wi-Fi it’s much more important to get consistent and reliable performance wherever you are in your home than to hit crazy peak speeds. Sure, if you buy an expensive router, you can blast data when you’ve got line of sight and are a few feet away, but then you might as well just connect to it with an Ethernet cable.
For the price of one very fast centralized router, you can buy an entry-level mesh router kit and have fast enough internet everywhere, and never have to think about it again. I’m still running a Wi-Fi 5 mesh system in my two-storey rental home and I get 200+ Mbps minimum anywhere. If I need more speed than that on a single device, it’s going on Ethernet.
As prices come down on Wi-Fi 6 and 7 mesh systems, we’ll all eventually get access to that gigabit or better wireless tier, but I’d rather have a few hundred Mbps everywhere rather than a few Gbps in just one place and zero internet elsewhere.
It’s hard to overstate just how easy modern mesh routers are to set up. After you’ve got the first unit up, usually by using a mobile app, adding more is generally just a matter of turning them on close to any previously activated router and waiting a few seconds.
As for the actual management of the network, on my TP-Link system you can see the topology of your network, how the pods are doing in terms of bandwidth, and you can automatically optimize for network interference and signal strength. The days of cryptic and largely manual router configuration are over. Even port forwarding, which has always tripped me up on old routers, now just works with a few taps on my phone screen.
The price argument doesn’t hold up anymore
There’s something for every budget
The biggest reason I think people have avoided mesh systems is cost. That’s perfectly fair, because mesh systems are more expensive than a single router. The thing is, prices have come down significantly, especially for mesh on older Wi-Fi standards.
But, even if you want newer Wi-Fi like 6E or 7, you don’t have to start your mesh journey with a full kit. You can buy a single mesh router, use that as your primary, and then add more as you can afford it. Even better, if you’ve bought a new router recently, there’s a chance it already supports mesh technology. It doesn’t even have to be that recent, since some older routers have gained mesh capability thanks to firmware updates.
If you already have a router that’s mesh-capable, then extending your home network any other way would be silly. Also, keep in mind that all the routers in your mesh network don’t have to be identical. That’s a common misconception, but the only thing they need to have in common is support for the same mesh technology. Just keep in mind that your performance will only be as good as the slowest device in the chain.
Mesh is for everyone
The bottom line is that mesh network technology is now cheap enough, mature enough, and easy enough that I honestly think everyone should have a good reason not to use it rather than looking for reason to use it. Wi-Fi should be like water or electricity. You want everyone in your home to have easy access to it no matter where they are. Mesh will do that for you.
9/10
Brand
Unifi
Range
1,750 square feet
The Unifi Dream Router 7 is a full-fledged network appliance offering NVR capabilities, fully managed switching,a built-in firewall, VLANs, and more. With four 2.5G Ethernet ports (one with PoE+) and a 10G SFP+ port, the Unifi Dream Router 7 also features dual WAN capabilities should you have two ISP connections. It includes a 64GB microSD card for IP camera storage, but can be upgraded for more storage if needed. With Wi-Fi 7, you’ll be able to reach up to a theoretical 5.7 Gbps network speed when using the 10G SFP+ port, or 2.5 Gbps when using Ethernet.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
May 13, 2026
