May 2026 Patch Tuesday: What an SMB Should Patch This Week

Yesterday was Microsoft's May 2026 Patch Tuesday. About 120 CVEs got fixed, 17 of them rated Critical, no zero-days this month. The release itself is the kind of thing that used to be a Monday-morning newsletter item. The reason it deserves its own post in 2026 is that the cadence I wrote about in the Claude Mythos post last week is now visibly playing out: a large share of this month's fixes were found by Microsoft's own MDASH agentic scanner, the rest are showing up faster than they used to, and the realistic window between patch release and working exploit is days, not months.

I will keep this short and operational. Here is what an SMB owner needs to know, what to push out this week, and why these specific CVEs deserve the front of the line.

The shape of this month

• Roughly 120 CVEs addressed across Windows, Office, Azure, and supporting components.
• 17 Critical: 14 remote code execution, 2 elevation of privilege, 1 information disclosure.
• Zero zero-days: nothing in this batch was being actively exploited at the time of disclosure.
• 16 CVEs credited to MDASH, Microsoft's multi-model agentic scanner. More on that below.
• Several more credited indirectly to Anthropic's Claude Mythos via Palo Alto Networks' research, which has been using Mythos to triage Microsoft attack surface.

Microsoft's MSRC blog described the release as sitting "on the larger side of a hotpatch month," with "a greater share of the issues addressed [...] discovered by Microsoft." Translation: the AI-assisted scanning programs at Microsoft are now contributing meaningful chunks of every monthly release, and the public Patch Tuesday list is going to get longer on average from here.

The CVEs that actually matter for a small business

CVE-2026-40361 — Microsoft Word use-after-free RCE (CVSS 8.4)

A critical use-after-free vulnerability in Microsoft Word that an attacker can exploit to run code on the user's machine, in the context of that user. CVSS 8.4 puts it solidly in the Critical bucket. The piece that should focus an owner's attention is that this bug is reachable through the Outlook Preview Pane. The user does not have to double-click the attachment; they only have to receive an email where Outlook auto-previews the document.

This is the same attack pattern that has gotten plenty of small businesses ransomed over the years: an employee receives what looks like an invoice or a delivery notification, Outlook helpfully shows them the preview, and the exploit fires on the way in. The fix is straightforward, the update for Office is small, and the deployment is the kind of thing that should already be automatic in any modern endpoint setup.

Two things to verify on every workstation:

• Office Click-to-Run is on the May 2026 release channel build. Open any Office app, click File › Account, and check the build date.
• Anyone on the Monthly Enterprise Channel or Semi-Annual Channel is not stuck waiting for a delayed rollout. SMBs on Business Premium are usually on Current Channel, which gets the fix first; verify it.

CVE-2026-41096 — Windows DNS Client heap-based buffer overflow

A heap-based buffer overflow in the Windows DNS Client that allows an unauthenticated attacker to take over a target system by sending a malicious DNS response. The piece that makes this dangerous is "unauthenticated": the attacker does not need a foothold, a phishing click, or any prior access. They need to be in a position to answer a DNS query.

That sounds narrower than it is. Any user who connects a laptop to an untrusted Wi-Fi network (a coffee shop, a hotel, an event venue) is asking that network for DNS resolution. Any office network that allows clients to use upstream DNS servers other than the firewall or a vetted resolver is exposed. Internal networks where DNS is provided by a domain controller are not immune either: any process on the same network that can intercept a DNS request can answer it with a crafted payload.

This is the kind of CVE that does not show up in "I clicked a bad link" headlines but does show up in post-incident reviews of how the attackers actually got in. Patch the Windows cumulative update, and on managed fleets, force DNS through a known resolver (your domain controller, Cloudflare 1.1.1.1, Quad9, or a managed DNS filtering product) instead of whatever DHCP hands out.

CVE-2026-35421 — Windows GDI heap overflow (CVSS 7.8)

The Windows Graphics Device Interface is the rendering pipeline that sits behind almost every document, image, and font that displays on a Windows screen. A heap overflow here is reachable from a long list of common file types (images, fonts, embedded objects in Office, PDFs that render through GDI). Less immediately scary than the Word and DNS bugs, but the breadth of the surface (every browser, every Office app, every image viewer) makes it worth not skipping.

The fix arrives with the May cumulative update on Windows. There is no separate patch step.

MDASH: the new defender in the loop

The other story this month is who found the bugs. Microsoft introduced MDASH — a multi-model agentic scanning harness that orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end. Microsoft credited MDASH with 16 of this month's Patch Tuesday CVEs.

The shorthand: MDASH is Microsoft's version of Anthropic's Claude Mythos. Mythos showed up in the Firefox audit last month and surfaced 271 sec-rated bugs in a single run. MDASH is the same idea applied to Microsoft's own codebase by Microsoft's own team. The implication is the same as it was for Mozilla: vendors are now hooked up to AI scanners that find more bugs per release than human reviewers do, and the public Patch Tuesday volume is going to climb on average for the foreseeable future.

This is good news for defenders, with one caveat. The patches still ship publicly. As soon as they ship, a second set of researchers reverse-engineers them and writes proof-of-concept exploits for the half-dozen bugs that look most dangerous. The window between "Patch Tuesday released" and "working exploit on a public repo" used to be weeks. It has been shrinking. In several recent cases it has been measured in hours. The defender that pushes the patch in 24 to 72 hours is well ahead. The defender that pushes it in 30 to 60 days is exposed for almost all of that window.

What "no zero-days" means and what it does not

It is genuinely a quieter month. No actively exploited zero-day means no attacker had a head start. That is unusual lately and worth noting. What it does not mean is that the bugs in this batch are safe to wait on. Several of them are the kind of thing that turns into a working public exploit within days of patch release, particularly the Office RCEs that fire through Preview Pane. The lesson from the last few years is that "no zero-days" tells you about the past two weeks, not the next two.

What to do this week, in order

1. Today: push the May 2026 cumulative Windows update to every workstation through your RMM, Intune, or whatever endpoint tool you use. Set a forced reboot deadline within 48 hours.
2. Today: verify Microsoft Office is on the May 2026 build on every workstation that runs it. Click-to-Run is fastest; MSI installs are slowest and the ones most likely to be behind.
3. Today: if your Outlook policy allows Preview Pane on attachments from external senders, consider disabling it for the next two weeks while the Word RCE patch propagates. Belt-and-suspenders.
4. This week: apply the May cumulative update to every Windows server. Use hotpatch where supported (Windows Server 2022/2025 with Azure Update Manager) to avoid the reboot. For everything else, schedule a maintenance window and reboot.
5. This week: review your endpoint patch-compliance dashboard. The machines that report "pending reboot" three days from now are the ones an opportunistic attacker will find. Track them down individually.
6. This week: on managed fleets, lock DNS resolution to a known-good resolver (your domain controller, a DNS filtering product, or a public resolver like 1.1.1.1 / 9.9.9.9). The DNS Client RCE is most dangerous on networks where any device can be the DNS server.
7. This month: if you cannot answer "what is our mean time to patch on critical Windows CVEs," that is the project. The May Patch Tuesday is one of about 12 you will see this year, and the volume is climbing.

The connective tissue with the rest of this blog

If you have been reading along, this is the third post in a row on the same theme from different angles:

• The Mythos post set up the bigger story: AI-assisted vulnerability discovery is accelerating, and quarterly patch cycles are no longer fast enough.
• The YellowKey and GreenPlasma post showed what specific Windows bugs in that pipeline look like and what they put at risk.
• The identity hardening post covered the controls that reduce the cost of any individual bug landing in your environment.
• This post is the operational piece. The May 2026 patches are out. This is how a small business runs the play.

The honest take is unchanged: vulnerability management in 2026 is not a tooling problem. The tools are cheap. The problem is whether somebody whose job is patching is actually running them on a cadence that keeps up with disclosure volume. If you are reading this and the answer is "nobody, really," that is the seat to fill. We work with small businesses across Salinas, Monterey, Santa Cruz, and the rest of the Central Coast on exactly this; the managed IT services page covers the broader scope and the cybersecurity services page covers the program around it.

FAQs about the May 2026 Patch Tuesday

What is the most important CVE to patch from May 2026 Patch Tuesday?

Two are tied for first place for a typical small business. CVE-2026-40361 is a critical use-after-free in Microsoft Word with a CVSS of 8.4 that can be triggered through the Outlook Preview Pane, meaning a user does not have to open the attachment for the exploit to fire. CVE-2026-41096 is a heap-based buffer overflow in the Windows DNS Client that allows an unauthenticated attacker to take over a target by sending a crafted DNS response. Office is everywhere; DNS resolution happens on every machine continuously. Both should be patched in the next 72 hours.

Are there any zero-days in May 2026 Patch Tuesday?

No. Microsoft reported no actively exploited zero-day vulnerabilities in this month's release. That is the first zero-day-free Patch Tuesday in a while and is good news, with caveats: working exploits for several of the critical bugs will likely surface in the days and weeks after the patches drop, since the patches themselves often hint at the bug class. Patch on the new cadence regardless.

How many vulnerabilities did Microsoft fix in May 2026?

Approximately 120 CVEs. Of those, 17 are rated Critical (14 remote code execution, 2 elevation of privilege, 1 information disclosure), and the rest are rated Important, Moderate, or Low. Microsoft's MDASH multi-model agentic scanning harness was credited with discovering 16 of the fixed vulnerabilities.

What is MDASH and why does it matter?

MDASH is Microsoft's multi-model agentic scanning harness: more than 100 specialized AI agents that discover, debate, and prove exploitable bugs across Microsoft's own code. It is Microsoft's analog to Anthropic's Claude Mythos. The reason it matters for a small business is the rate: between MDASH on the Microsoft side and Mythos on the third-party side, vulnerability disclosure volume is climbing fast enough that any patching cadence slower than "days" is going to fall behind.

How fast does a small business need to patch this month's fixes?

Targets: 24 to 72 hours for endpoints to apply the cumulative update with a reboot. 7 days for servers, scheduled around a maintenance window. Same week for any critical RCE on internet-reachable infrastructure. If your fleet is on auto-patch through an endpoint management tool, this is happening already and your job is verification. If it is not, this is the project to start on Monday.

What if I can't reboot servers right away?

Hotpatch is the right answer if your servers are running Windows Server 2022 or 2025 and are eligible (Azure Update Manager or specific licensing tiers). Hotpatch applies the kernel and security fixes without a reboot for most of the year, with full quarterly reboots for the rollup. If hotpatch is not available, schedule a real maintenance window. "We'll reboot when convenient" is the patching posture that broke the last few small businesses I cleaned up after.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.