On Tuesday 13 May 2026, Microsoft shipped fixes for 137 CVEs — 30 of them rated critical, 14 carrying CVSS scores of 9.0 or higher, and zero classed as actively exploited zero-days for the first time since June 2024. That headline calm is misleading. Two of the criticals demand action from every UK SME inside 48 hours: CVE-2026-41089, a wormable stack-based buffer overflow in Windows Netlogon that hands an attacker SYSTEM-level control of a domain controller, and CVE-2026-41096, an unauthenticated heap-based overflow in the Windows DNS Client that affects every Windows endpoint on the estate. A third critical — CVE-2026-42898 in on-premises Dynamics 365 — carries CVSS 9.9 and turns any unpatched on-prem CRM into a launchpad.

This is the largest May Patch Tuesday in five years, and it lands inside the same calendar quarter that Microsoft’s April release pushed 169 CVEs — the second-highest single month in the programme’s history. Microsoft’s own AI tooling (MDASH) found 16 of the 137 bugs disclosed today, and the company is on pace to surpass the 2020 record of 1,245 CVEs in a calendar year. The implication for UK SMEs is operational: patching has stopped being an end-of-month admin task and has become a monthly compliance discipline that Cyber Essentials Plus, cyber insurers, and supplier security questionnaires now grade you on.

137

CVEs fixed on 13 May 2026

9.8

CVSS — Netlogon & DNS Client

9.9

CVSS — Dynamics 365 on-prem

48 hrs

DC patch window for UK SMEs

What Microsoft actually shipped on 13 May 2026

The May 2026 Patch Tuesday rollup covers 137 individual CVEs across Windows client and server, Microsoft Office, Dynamics 365, Azure DevOps, Microsoft Edge, SQL Server, Visual Studio, and the Microsoft SSO Plugin for Atlassian. Thirty of the entries are rated Critical, 14 carry CVSS scores of 9.0 or higher, and none was classified as exploited in the wild before publication — the first ‘clean’ Patch Tuesday for known-exploited bugs since June 2024.

That zero-day count is the part headlines have led with, but it is the wrong number to plan around. The two CVSS 9.8 entries — Netlogon (CVE-2026-41089) and the Windows DNS Client (CVE-2026-41096) — are both pre-authentication, both reachable over the wire, and both Microsoft-labelled as ‘Exploitation More Likely’. Once proof-of-concept code lands on GitHub, the gap between disclosure and the first credential-spraying worm has been measured in days, not weeks, on every comparable Netlogon-family bug since Zerologon in August 2020.

For UK SMEs the question is not whether the Tuesday rollup is ‘quiet’. The question is whether your domain controllers, your DNS resolvers and your Dynamics 365 on-prem servers are inside the 48-hour critical-patch SLA your Cyber Essentials Plus assessor — and increasingly your insurer — expect to see evidenced.

Why a wormable Netlogon flaw is a five-alarm event for SMEs

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon Remote Protocol that runs as SYSTEM on a domain controller and requires no prior authentication. ‘Wormable’ in Microsoft’s glossary means the same exploit can pivot from one DC to the next without further user interaction — the same class of bug as MS08-067 (Conficker) and Zerologon (CVE-2020-1472). If the first DC falls, every joined Active Directory member can be reached from inside the trust boundary. The patches are KB5087539 (Server 2025), KB5087545 (Server 2022) and KB5087541 (Server 23H2), and they cover every supported Server release from 2012 onwards. There is no documented workaround that does not break Netlogon itself.

Patch Tuesday timeline — how today fits the wider 2026 picture

8 April 2026 — April Patch Tuesday

Microsoft ships 169 CVEs — the second-largest Patch Tuesday in the programme’s history. The release set the tone for the 2026 patch cadence and forced every managed-service provider in the UK to revisit weekly patch rings.

22 April 2026 — NCSC patch-wave warning

The National Cyber Security Centre issued an unusual mid-month advisory urging UK organisations to formalise a documented monthly patching SLA. The advisory called out domain controllers, edge appliances and CRM servers as the priority assets.

9 May 2026 — Pre-Patch-Tuesday signal

Microsoft pre-notified MSRC participants of an unusually high count of Critical CVEs, including a wormable Netlogon entry. Several MSPs began pre-staging maintenance windows for the following weekend.

13 May 2026 — Patch Tuesday release

137 CVEs published, including CVE-2026-41089 (Netlogon, CVSS 9.8), CVE-2026-41096 (DNS Client, CVSS 9.8), CVE-2026-42898 (Dynamics 365 on-prem, CVSS 9.9). Hotpatch becomes the default servicing mode on supported Server 2025 and Windows 11 24H2/25H2 builds.

13 May 2026 — NHS Digital cyber alert CC-4782

NHS Digital issues alert CC-4782 specifically calling out Netlogon and DNS Client. NHS trusts and their suppliers are directed to apply DC patches inside 48 hours and endpoint patches inside seven days under DSPT requirements.

14 May 2026 — Today

UK SMEs enter the ‘48-hour critical’ window for domain controllers. Patches are downloadable through Windows Update, WSUS, Intune, Autopatch and the Microsoft Update Catalog. Hotpatch-eligible servers do not require a reboot.

~20 May 2026 — Expected exploit weaponisation

Historic precedent on wormable Netlogon bugs (Zerologon, PrintNightmare, NoPac) puts realistic proof-of-concept publication inside seven days. Mass scanning typically follows within ten.

27 May 2026 — Cyber Essentials v3.3 14-day deadline

Under Cyber Essentials and Cyber Essentials Plus, all critical/high vulnerabilities with a CVSS score of 7.0 or above must be remediated within 14 days of vendor patch availability. 27 May is the audit-evidence cut-off for today’s release.

10 June 2026 — June Patch Tuesday

Next scheduled release. UK SMEs that have not closed the May rollup before June ship will be carrying two months of unpatched critical exposure into a single window — the scenario insurers explicitly score against on renewal.

Where the 137 CVEs sit — severity and product breakdown

The headline number obscures a steep distribution. Roughly one in five entries is rated Critical, and the Critical pile is heavily concentrated in Windows core services. Office, Edge and Visual Studio carry the long tail of Important-rated bugs. The chart below is the operational view UK SME IT leaders should be planning against, not the press-release count.

Windows OS & kernel

48 CVEs

Microsoft Office (Word, Excel, PowerPoint, Outlook)

22 CVEs

Active Directory & identity services

17 CVEs

Microsoft Edge & Chromium

15 CVEs

SQL Server & data platform

11 CVEs

Dynamics 365 & Business Apps

9 CVEs

Visual Studio, .NET & developer tools

15 CVEs

Adobe, in step with Microsoft Patch Tuesday, pushed 32 vulnerabilities across 10 products including 2 criticals in Adobe Connect. SAP shipped 15 new advisories, two of them critical. The May ecosystem footprint — Microsoft, Adobe and SAP combined — runs to 184 CVEs on a single Tuesday. The era of ‘monthly patching’ as a Saturday-evening afterthought is over.

The 30 Critical CVEs — how the priority pile breaks down

Of the 137 entries, 30 are rated Critical. Inside that critical pile, the split between remote code execution (RCE), elevation of privilege (EoP) and information disclosure is what determines how aggressively each one needs to be sequenced. RCE on a network-reachable Windows service is the four-alarm category — that is exactly where Netlogon and DNS Client sit.

Share of May 2026 Critical CVEs classed as remote code execution — the highest-priority pile (18 of 30)

RCE makes up 61% of the Critical entries this month. Elevation of privilege accounts for another 23% (7 CVEs — including the on-prem Dynamics 365 entry), and the remainder splits between security feature bypass, spoofing, and information disclosure. For a UK SME running a typical hybrid estate — domain controllers on Server 2019/2022, Windows 11 endpoints, Microsoft 365 for mail, and SQL Server on-prem — that means at least four asset classes need patching inside the same fortnight.

Where most UK SMEs fail this rollup

The same eight gaps come up on every Cyber Essentials Plus audit, every cyber-insurance application, and every supplier security questionnaire we see. They are not exotic. They are the structural patch-management failures that turn a Microsoft Patch Tuesday into a board-level incident a month later.

Where most UK SMEs are weak heading into the May 2026 rollup

No documented monthly patch SLA (critical / high / medium / low bands) High

Domain controllers patched on the same schedule as endpoints High

No reboot-window plan — servers carry unapplied updates for weeks High

WSUS / Intune / Autopatch deployed but unmonitored — failed rings unnoticed High

No inventory of internet-facing services (RDP, RPC, DNS, Exchange) by asset Mid

BitLocker recovery keys not escrowed before patching Mid

No rollback / VM-snapshot procedure for DCs prior to patch Mid

Out-of-band Atlassian (Jira / Confluence) plug-in patch sequence undocumented Low

Cost of getting May 2026 wrong — the realistic UK SME envelope

The cost of an unpatched Netlogon-class bug is not theoretical. The price points below are drawn from the public ICO penalty register, the latest Cyber Security Breaches Survey (CSBS 2025), and Cloudswitched incident-recovery engagements for businesses between 10 and 250 employees. They assume one productive working week of disruption, externally led incident response, and either a partial backup recovery or rebuild.

Business size	Likely DCs / endpoints	Incident-response cost	Productivity loss (5 days)	Total realistic exposure
Micro (1–9 users)	0–1 DC / 10 endpoints	£8,000–£15,000	£4,500	£12,500–£19,500
Small (10–49 users)	1–2 DCs / 50 endpoints	£20,000–£45,000	£22,500	£42,500–£67,500
Lower-mid (50–99 users)	2–3 DCs / 100 endpoints	£55,000–£110,000	£45,000	£100,000–£155,000
Mid-market (100–249 users)	3–5 DCs / 250 endpoints	£120,000–£240,000	£112,000	£232,000–£352,000
Upper-mid (250–500 users)	5–8 DCs / 500 endpoints	£260,000–£520,000	£225,000	£485,000–£745,000

The numbers above exclude regulatory penalty exposure under UK GDPR (where Active Directory compromise typically triggers a notifiable personal-data breach), and they exclude the indirect cost of being struck off a supplier panel after the post-incident questionnaire round. Both line items, in our experience, frequently exceed the direct incident-response cost.

Reactive vs proactive — the two operating postures heading into Wednesday

Reactive posture

Where most UK SMEs are today

Patches noticed on the news cycle, not pre-staged from the MSRC pre-release
No defined SLA for critical / high / medium / low CVEs — everything queued for the next maintenance Saturday
Domain controllers patched at the same cadence as user laptops
Atlassian SSO Plugin (CVE-2026-41103) fix verified through Microsoft alone — the Atlassian-side patch left undeployed
No BitLocker recovery-key escrow before patching — one Secure Boot prompt locks out a director
Audit evidence reconstructed from screenshots three months later when Cyber Essentials Plus re-certification renews
Insurer renewal questionnaire answers based on memory — not WSUS / Intune compliance reports

Proactive posture

Where Cloudswitched Managed IT Support takes you

MSRC pre-release reviewed by a named engineer the Friday before Patch Tuesday — impacted assets pre-identified
Documented monthly SLA: 48 hours critical (CVSS 9.0+), 7 days high (CVSS 7.0+), 14 days medium, 30 days low
Domain controllers carved into their own patch ring with VM snapshot + recovery plan before reboot
Cross-vendor patches (Atlassian, Adobe, SAP) sequenced into the same rollout calendar — not left for someone else to remember
BitLocker recovery keys escrowed to Entra ID or Azure AD — one Secure Boot prompt is a five-minute support call
WSUS / Intune / Autopatch compliance pulled to a monthly evidence pack — ready for Cyber Essentials, ISO 27001 and insurer renewal
Quarterly tabletop on a hypothetical wormable AD bug — the muscle memory exists before the real one lands

The 10-step UK SME action plan for the May 2026 rollup

This is the operational sequence Cloudswitched runs on Managed IT Support estates inside the first 14 days of every Patch Tuesday. Each step is a separate gate — you do not advance until the prior gate has documented evidence. The percentage on each row indicates the typical position of an SME with a mature patching programme by Day 14.

Step 1 — Inventory snapshot

Day 0 — 13 May (evening)

Step 2 — Pull MSRC release notes; map CVEs to your KBs

Day 0–1

Step 3 — Escrow BitLocker recovery keys to Entra ID

Day 1

Step 4 — VM-snapshot every domain controller before patch

Day 1–2

Step 5 — Apply DC patches (KB5087539 / 5087545 / 5087541) — 48-hour window

Day 1–2

Step 6 — Roll endpoints (KB5089549 / 5087420 / 5087544 ESU)

Day 3–7

Step 7 — Sequence Dynamics 365 on-prem & SSO Plugin patches

Day 5–7

Step 8 — Validate Atlassian-side SSO Plugin fix (CVE-2026-41103)

Day 7

Step 9 — Adobe (Connect) and SAP rollout against the same calendar

Day 7–10

Step 10 — Pull compliance evidence pack for CE, insurer, ISO 27001

Day 12–14

Your May 2026 patch-readiness score

If you have a documented monthly patching SLA, a separate DC patch ring with snapshots, escrowed BitLocker keys, and a compliance evidence pack you can hand to an assessor on demand, you are scoring at the top of the gauge below. If even one of those is missing, you are not patch-ready for the volume the 2026 calendar is delivering.

Average UK SME patch-readiness score (out of 100) — based on Cloudswitched audits, Q2 2026

A score of 37/100 is not a moral failing. It is what happens when patching is treated as a help-desk admin task rather than a board-level compliance discipline. The good news: the seven structural fixes above shift the average score to 78/100 within a single quarter, and they do not require a single piece of new hardware.

Practical tip — the BitLocker recovery-key gotcha

The May 2026 rollup contains a quietly important note in Microsoft’s release advisory: machines with custom Secure Boot baselines may prompt for the BitLocker recovery key on first reboot after patching. If your recovery keys are not escrowed to Entra ID or Azure AD, a director’s laptop on a customer site becomes a wedge call into your help desk at the worst possible moment. The fix is one PowerShell command (manage-bde -protectors -get C:) and a 30-minute escrow sweep before you start the May rollout — not after.

The May 2026 Patch Tuesday — at a glance

Fact	Detail
Release date	Tuesday 13 May 2026
Total CVEs	137
Critical-rated	30
CVSS 9.0 or higher	14
Zero-days exploited in the wild	0 — first ‘clean’ release since June 2024
Wormable Netlogon RCE	CVE-2026-41089 — CVSS 9.8, runs as SYSTEM, all Server 2012+ affected
DNS Client RCE	CVE-2026-41096 — CVSS 9.8, no auth, every Windows endpoint
Dynamics 365 on-prem RCE	CVE-2026-42898 — CVSS 9.9, on-premises only, cloud unaffected
Microsoft SSO Plugin for Atlassian	CVE-2026-41103 — Critical, auth bypass, verify Atlassian-side patch
Azure DevOps CVSS 10.0	CVE-2026-42826 — mitigated by Microsoft, no customer action required
Server 2025 / Server 2022 / Server 23H2 KBs	KB5087539 / KB5087545 / KB5087541
Windows 11 24H2/25H2 KB	KB5089549
Windows 11 23H2 KB	KB5087420
Windows 10 ESU KB	KB5087544 — Extended Security Updates only; non-ESU Win10 unsupported
Hotpatch default	Now default servicing mode on supported Server 2025 / Windows 11 24H2 / 25H2 builds
Cyber Essentials v3.3 deadline	27 May 2026 — 14 days from vendor patch availability for all CVSS 7.0+ bugs
April 2026 comparison	169 CVEs — second-highest single Patch Tuesday in history
Adobe / SAP ecosystem footprint	Adobe 32 (2 critical, Adobe Connect); SAP 15 (2 critical)

Related Cloudswitched coverage — the wider 2026 patching picture

The May 2026 rollup does not sit in isolation. It is the third Patch-Tuesday-class advisory in 30 days — on top of an active Palo Alto firewall zero-day and a WordPress plugin takeover wave that has already cost UK SMEs operating their own marketing sites. Read the full series for the operational pattern: the NCSC patch-wave warning and UK SME vulnerability management plan sets out the documented SLA approach NCSC now expects. The Palo Alto PAN-OS zero-day action plan covers the parallel firewall vector. The WordPress mass-takeover web stack audit covers the third-party CMS dimension. The Microsoft 365 Copilot Anthropic default opt-in guide covers the EU Data Boundary governance change that landed at the same time as April Patch Tuesday. The Veeam 3-2-1-1-0 cloud backup plan covers the backup-side controls that pay for themselves the first time a patch fails. And the PSTN switch-off VoIP plan covers the parallel deadline-driven workstream every UK SME is now running alongside their patching programme.

Need a managed patching SLA you can put in writing?

Cloudswitched Managed IT Support carves your estate into the right patch rings, snapshots your DCs before every Patch Tuesday, escrows your BitLocker recovery keys, sequences Microsoft, Adobe, SAP and Atlassian patches into a single calendar — and produces the monthly evidence pack your Cyber Essentials Plus assessor, insurer and supplier security questionnaire all now expect.

Talk to us about Managed IT Support

FAQ — UK SME Patch Tuesday May 2026

Do we really have only 48 hours to patch our domain controllers?

Cyber Essentials v3.3 sets the formal deadline at 14 days from vendor patch availability for any CVSS 7.0+ vulnerability. The 48-hour window for domain controllers is the responsible operational target for a wormable, pre-authentication, SYSTEM-level RCE like CVE-2026-41089. Every Netlogon-class bug since Zerologon (August 2020) has seen public proof-of-concept code published inside a week, with mass scanning following inside ten days. The 48-hour window is what gives you margin between the patch landing and the first wave of automated exploitation. If your DCs slip past 14 days you are also out of Cyber Essentials Plus compliance and exposed on your next insurer renewal.

We run cloud-only Microsoft 365 and no on-prem servers — does any of this affect us?

Yes, partially. Cloud-only tenants are not exposed to CVE-2026-41089 (Netlogon is an on-prem AD protocol) or CVE-2026-42898 (on-prem Dynamics 365 only). But CVE-2026-41096 — the DNS Client overflow — affects every Windows endpoint regardless of where authentication terminates, because the DNS Client is the local resolver on every Windows 10 ESU, Windows 11 23H2/24H2/25H2 machine. You still need to roll KB5087544/KB5087420/KB5089549 inside the seven-day endpoint SLA. The Microsoft SSO Plugin for Atlassian (CVE-2026-41103) also applies if you run Jira or Confluence with Microsoft SSO.

What is hotpatching and does it remove the reboot requirement?

Hotpatching is Microsoft’s ability to apply security fixes to running code in memory without rebooting the operating system. As of the May 2026 release it is now the default servicing mode on supported Server 2025, Windows 11 24H2 and Windows 11 25H2 builds. In practical terms a hotpatch-eligible domain controller can take this month’s Netlogon fix and stay up; you only reboot on the quarterly ‘baseline’ release. It does not remove the need to plan the patch window, take a VM snapshot, or escrow recovery keys — but it materially reduces the downtime cost of hitting the 48-hour DC SLA.

We are on Windows 10 without ESU. What changes for us?

Without Extended Security Updates, Windows 10 stopped receiving security patches in October 2025. KB5087544 is the ESU-only fix — without ESU it does not apply to your devices. Any unsupported Windows 10 endpoint on your estate is now permanently exposed to CVE-2026-41096 and every future Critical Windows bug. Beyond the technical exposure, an unsupported endpoint is an automatic Cyber Essentials Plus fail under control A6 (Patch Management). The pragmatic options are Windows 11 in-place upgrade, hardware refresh, or a 12-month ESU licence as a bridge — we cost all three on Managed IT Support audits.

Why does the Microsoft SSO Plugin patch need verifying through Atlassian as well?

CVE-2026-41103 is a critical authentication bypass in the Microsoft SSO Plugin for Jira and Confluence. The Microsoft-side fix updates the plugin’s code, but Atlassian also has to ship a paired update on the Jira and Confluence side to invalidate session tokens issued before the patch. If you only verify the Microsoft side you can leave a usable bypass behind for any pre-patch session. Cloudswitched’s standard practice is to apply both vendor updates inside the same change window and confirm the fix from both ends — the same approach we recommend on any cross-vendor identity-related CVE.

What evidence do we need on file for a Cyber Essentials Plus assessor?

For each Patch Tuesday release you need: (1) a dated change record showing which KBs were applied to which asset classes; (2) a compliance report from WSUS, Intune, Autopatch or your RMM showing percentage compliance per ring inside the 14-day window; (3) an exceptions log for any device that could not be patched (with mitigating controls); and (4) a signed-off monthly patching SLA document. Assessors increasingly ask for screenshots of the actual compliance dashboard, not a written summary. The same evidence pack is now requested at insurer renewal and on most supplier security questionnaires.

Are Adobe and SAP patches genuinely a UK SME concern this month?

Adobe Connect and SAP S/4HANA appear in more UK SME estates than IT teams realise — Connect through training and HR webinar workflows, SAP through finance-team line-of-business installs. The Adobe May release includes two criticals in Adobe Connect (RCE), and the SAP release includes two criticals in S/4HANA modules. Both vendors release in lockstep with Microsoft Patch Tuesday by design. If your patching calendar only sequences Microsoft, you are by definition out of compliance on the same Cyber Essentials v3.3 14-day rule for any non-Microsoft software you run. Our Managed IT Support patching calendar sequences all three vendors into a single ring.

How does Cloudswitched actually run a patch ring for a UK SME?

We carve the estate into four rings: (R0) test — one DC or one endpoint of each class, patched within 24 hours of release; (R1) early adopters — IT and security team devices, patched at 48–72 hours; (R2) production — the bulk of the user base, patched between days 4 and 10; (R3) deferred — line-of-business critical systems that need vendor validation, patched between days 10 and 14. Every ring has named escalation, a documented rollback (VM snapshot for servers, system restore + BitLocker key for endpoints), and an exceptions log. The whole process is automated through Intune Autopatch and our RMM, with named-engineer oversight rather than ‘set and forget’.

What is the realistic budget for monthly managed patching at a UK SME?

A documented monthly patching programme inside Managed IT Support typically costs between £5 and £12 per user per month depending on the number of server workloads. For a 25-user SME with two domain controllers and one SQL Server, that is roughly £180–£300 per month for the patching layer alone — against an average incident exposure (per the table above) of £42,500–£67,500 from a single Netlogon-class compromise. The economics are unambiguous, which is why insurers now actively rate against the existence of a documented patching SLA at renewal.

Can we just turn on Windows Update and call it done?

No. Windows Update without management is not a patching programme — it is consumer autopatch. It does not give you per-asset evidence, per-ring deferment, exception logging, BitLocker recovery-key escrow, snapshot rollback for servers, or compliance reporting. It also does not sequence non-Microsoft vendors like Adobe, SAP and Atlassian. For a single home laptop it is fine. For any business that is in Cyber Essentials scope, holds personal data under UK GDPR, has cyber insurance, or sits in a supplier panel, it falls short of every assessor’s expectation. Intune Autopatch, WSUS or a managed RMM-driven equivalent is the minimum bar.

Want your May 2026 patch evidence pack on file by 27 May?

Cloudswitched Managed IT Support handles the full May 2026 rollup — domain controllers, endpoints, Dynamics 365 on-prem, SSO Plugin, Adobe and SAP — on a documented SLA with a named engineer and a compliance evidence pack ready for your next Cyber Essentials Plus, ISO 27001 or insurer renewal. Find out how a managed patching programme would look on your estate.

Talk to us about Managed IT Support

Tags:IT SupportPatch ManagementCyber SecurityWindowsCyber Essentials

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.