Microsoft May 2026 Patch Tuesday: 120 Fixes NC SMBs Must Deploy

TL;DR: Microsoft's May 2026 Patch Tuesday fixes 120 vulnerabilities, including 29 rated Critical with remote code execution (RCE) impact across Windows, Office, SharePoint, Azure, and developer tools. While no zero-days were exploited at release, Cyber Security News reports that several preview-pane Office RCEs and a critical Windows DNS Client flaw create immediate risk for unpatched North Carolina small businesses. This guide breaks down what to patch first, on what timeline, and how NC SMBs can deploy safely without breaking line-of-business applications.

Key takeaway: Office preview-pane RCEs do not require a user to click. Just previewing a malicious attachment in Outlook triggers code execution. Every NC small business running Microsoft 365 should patch Office and Outlook within 7 days, not 30.

Need help deploying this month's Microsoft patches safely? Preferred Data Corporation provides managed IT services and managed cybersecurity for North Carolina businesses. BBB A+ rated, in business since 1987. Call (336) 886-3282 or request a Patch Tuesday deployment plan.

What did Microsoft fix in the May 2026 Patch Tuesday?

Microsoft's May 2026 release addresses 120 distinct vulnerabilities. CyberScoop's coverage and Talos Intelligence's breakdown provide the most authoritative summaries. The high-level numbers:

Category	Count	Notes
Critical RCE	29	Highest priority for SMBs
Total vulnerabilities	120	Across Windows, Office, Azure, dev tools
Zero-days exploited	0	First clean release in several months
SharePoint critical	Multiple	Authenticated RCE; impacts on-prem servers
Office (Word/Excel/Outlook)	Multiple	Preview-pane and document handling
Windows DNS Client	1 critical	Affects every Windows device on a network

Arctic Wolf's analysis and Qualys ThreatPROTECT's review both flag the Office and DNS Client vulnerabilities as the highest-priority items for small business environments.

Which May 2026 vulnerabilities matter most for NC small businesses?

Five vulnerability families deserve immediate attention. None of them require an advanced attacker.

1. Microsoft Office RCE (preview pane exploitable)

Cyber Security News confirms multiple Office vulnerabilities can be triggered by Outlook's preview pane, meaning a user does not need to click a malicious attachment. Just receiving the email is enough. For NC small businesses where staff routinely handle invoices, RFQs, RFPs, and quotes by email, this is the highest-priority patch.

Action: Patch Outlook, Word, Excel, and PowerPoint within 7 days. Consider temporarily disabling Outlook's reading pane in high-risk roles (finance, executive assistants) until updates are confirmed deployed.

2. Windows DNS Client RCE

A malicious DNS response sent to a vulnerable Windows host can corrupt memory and execute code remotely. This affects every Windows endpoint that performs DNS lookups (essentially all of them). Because DNS is a low-level protocol, even properly segmented networks are exposed.

Action: Deploy the May Windows cumulative update to all endpoints within 7 days. Verify that internal DNS servers (Active Directory domain controllers) are also patched.

3. SharePoint Server authenticated RCE

NC manufacturers and professional services firms running on-premises SharePoint are exposed to a network-based RCE that requires authenticated access. Combined with phishing or credential theft, this becomes a full domain compromise vector.

Action: Patch SharePoint within 14 days. Consider migrating remaining on-premises SharePoint workloads to SharePoint Online if you have not already, per PDC's SharePoint manufacturing document management guide.

4. Microsoft Azure and developer tooling

Several Azure and Visual Studio patches address privilege escalation and code execution. While most NC small businesses do not run their own Azure development workloads, the SaaS vendors they use almost certainly do.

Action: Subscribe to vendor advisories and confirm your SaaS providers have patched.

5. Privilege escalation across Windows components

Direct Business Technologies' analysis flags several Windows kernel and component privilege escalation vulnerabilities. These are not exploitable on their own but are commonly chained with phishing or initial-access exploits to convert a low-privilege foothold into a full domain takeover.

Action: Standard cumulative Windows update within 7-14 days.

How fast should NC small businesses deploy these patches?

The new 2026 patch SLA expectations, aligned with cyber insurance and CMMC guidance:

Asset class	Target SLA	Why
Internet-facing servers (SharePoint, Exchange)	72 hours	High-value attacker targets
User workstations (Office, Windows)	7 days	Preview-pane RCE risk
Domain controllers + DNS servers	7 days	Critical authentication infrastructure
Member servers (file, app, SQL)	14 days	Higher change-management risk
Developer machines + non-prod	14 days	Pivot risk to production

Bleeping Computer's coverage confirms no zero-days were exploited at release, giving SMBs a rare window to deploy before broad exploitation campaigns ramp up. That window typically closes within 7-14 days as public proof-of-concept exploits emerge.

Key takeaway: Just because Microsoft does not see active exploitation today does not mean attackers will not have exploits tomorrow. Patch as if exploitation is imminent because, increasingly, it is.

How should NC small businesses deploy patches without breaking production?

A defensible deployment pattern for an NC small business with 50-200 endpoints:

Pilot ring (Day 0-2): Deploy to IT staff, a small QA group, and 5-10 representative endpoints across departments.
Validation (Day 2-4): Confirm core line-of-business apps work. Test VPN, RDP, EDR/MDR agents, printing, and authentication.
Broad workstation rollout (Day 4-7): Push to all non-critical user workstations via RMM or Intune.
Server rollout (Day 7-14): Schedule planned maintenance windows for domain controllers, file servers, SQL, and SharePoint.
Verification (Day 14): Generate a patch compliance report. Identify and remediate any failed installs.
Audit evidence (Day 14): Capture screenshots, reports, or RMM exports for cyber insurance and CMMC documentation.

PDC's patch management in the AI era guide covers the automation tooling and process discipline this pattern requires.

Want PDC to manage your May 2026 patch rollout? Call (336) 886-3282 or request a patch deployment plan.

What if I cannot patch certain systems immediately?

Three legitimate compensating controls when an immediate patch is not possible:

Egress filtering and segmentation. Limit what an exploited system can reach. PDC's SD-WAN multi-site guide covers practical segmentation patterns.
Disable risky features. For Office RCE, disable the Outlook preview pane for high-risk users.
Application allowlisting. Limit what executables can run on critical hosts.

For OT/industrial systems that cannot be patched immediately, compensating controls and network isolation become mandatory. PDC's OT/IT integration guide covers manufacturer-specific patterns.

How does this Patch Tuesday relate to the 2026 Verizon DBIR?

Verizon's 2026 DBIR found that vulnerability exploitation is now the #1 initial breach vector, accounting for 31% of all incidents. Microsoft Patch Tuesday vulnerabilities are precisely the CVEs that DBIR data points to: widely deployed, business-critical, and exploited within days of disclosure. Every month a small business skips Patch Tuesday is a month it accumulates exploitable debt.

What about Secure Boot certificate expiration?

Direct Business Technologies' coverage reminds NC SMBs that the May release also includes Secure Boot readiness updates ahead of the June 2026 Microsoft third-party UEFI CA certificate expiration. PDC's Secure Boot certificate expiration guide covers the device-by-device readiness work most SMBs still need to complete.

What about cyber insurance documentation?

Cyber insurance carriers in 2026 routinely request:

Monthly patch compliance reports showing percentage of endpoints up to date
Time-to-patch SLAs in writing
Documented exceptions for systems that cannot be patched on the standard SLA
Patch evidence for the most recent three Patch Tuesday cycles

PDC's managed IT clients receive these reports automatically as part of monthly service delivery. See PDC's cyber insurance premium hike guide for the specific application questions.

Key takeaway: The cheapest cybersecurity investment a North Carolina small business can make in 2026 is automated, documented Patch Tuesday deployment. It is also one of the highest-leverage.

How Preferred Data Corporation handles May 2026 Patch Tuesday

PDC's managed IT and managed cybersecurity clients receive an automated Patch Tuesday workflow every month:

Patch advisory review by PDC's security team within 24 hours of release
Pilot ring deployment to representative endpoints
Validation testing on common NC SMB workloads (manufacturing, construction, professional services)
Broad workstation rollout via RMM within 7 days
Server patch windows scheduled for maintenance hours
Patch compliance reporting sent monthly to leadership
Cyber insurance evidence packs prepared annually for renewals
Local NC on-site for systems that cannot be patched remotely

PDC serves North Carolina businesses across High Point, Greensboro, Winston-Salem, Charlotte, Raleigh, Durham, Chapel Hill, and Hickory since 1987.

Get this month's patches deployed cleanly:

Call (336) 886-3282
Visit preferreddata.com/contact
Email [email protected]
Address: 1208 Eastchester Drive, Suite 131, High Point, NC 27265

Frequently Asked Questions

How many vulnerabilities did Microsoft fix in May 2026?

Microsoft's May 2026 Patch Tuesday fixes 120 vulnerabilities, including 29 rated Critical with remote code execution impact. There were no zero-days exploited in the wild at release, but several Office RCEs are exploitable through Outlook's preview pane.

Which May 2026 patches should NC small businesses prioritize?

Prioritize the Microsoft Office (Outlook, Word, Excel, PowerPoint) RCE patches first because they can be triggered by the Outlook preview pane without a user clicking. Then patch Windows endpoints for the DNS Client RCE, and finally on-premises SharePoint Server for the authenticated RCE. All within 7-14 days.

Can attackers exploit the Office vulnerabilities without me opening an attachment?

Yes. Several of the May 2026 Office vulnerabilities can be exploited via the Outlook preview pane, meaning simply viewing the email in the preview pane is enough to trigger code execution. This is why NC small businesses should patch Office and Outlook within 7 days, not the standard 30-day workstation cadence.

What is the patching SLA I should use for cyber insurance?

A defensible 2026 SLA is 72 hours for internet-facing systems, 7 days for user workstations and domain controllers, 14 days for member servers, and 30 days for network gear. Most cyber insurance applications in 2026 ask about these SLAs explicitly. PDC's cyber insurance premium hike guide documents the specific questions.

What is the difference between Patch Tuesday and CISA KEV patching?

Microsoft Patch Tuesday is the monthly scheduled release of Microsoft patches. CISA's Known Exploited Vulnerabilities catalog lists CVEs across all vendors that are being actively exploited in the wild. NC small businesses should follow both. Anything on KEV should be patched within 72 hours regardless of CVSS score.

How much does managed Patch Tuesday deployment cost?

Managed patching is typically bundled into a managed IT services contract. For an NC small business with 50-150 endpoints, expect $50-$125 per user per month for a full managed IT bundle that includes Patch Tuesday automation, monitoring, helpdesk, and reporting. Standalone patching-only tooling is rarely cost-effective at SMB scale.