Patch Tuesday Megathread - (May 12, 2026)

Posted by AutoModerator@reddit | sysadmin | View on Reddit | 96 comments

Hello r/sysadmin, I'm u/AutoModerator, and welcome to this month's Patch Megathread!

This is the (mostly) safe location to talk about the latest patches, updates, and releases. We put this thread into place to help gather all the information about this month's updates: What is fixed, what broke, what got released and should have been caught in QA, etc. We do this both to keep clutter out of the subreddit, and provide you, the dear reader, a singular resource to read.

For those of you who wish to review prior Megathreads, you can do so here.

While this thread is timed to coincide with Microsoft's Patch Tuesday, feel free to discuss any patches, updates, and releases, regardless of the company or product. NOTE: This thread is usually posted before the release of Microsoft's updates, which are scheduled to come out at 5:00PM UTC.

Remember the rules of safe patching:

Deploy to a test/dev environment before prod.
Deploy to a pilot/test group before the whole org.
Have a plan to roll back if something doesn't work.
Test, test, and test!

[-]

PrettyFlyForITguy@reddit

Did they patch RedSun yet?

[-]

techvet83@reddit

That was fixed last month, I believe. They had to put out a Windows Defender update for that, IIRC.

[-]

TheJesusGuy@reddit

???

[-]

GushingGranny39@reddit

Can you link any source? Cause i could not find any information. Not even a cve number.

[-]

ender-_@reddit

Nightmare-Eclipse dropped a privilege escalation and BitLocker bypass just after the updates. Microsoft really pissed them off.

[-]

Friendly_Guy3@reddit

Yellowkey is a fun one . It just works

[-]

MikeWalters-Action1@reddit

While we wait for today’s Patch Tuesday updates, here’s a rundown of last month’s biggest third-party security disasters (top 10 by importance and impact):

Cisco Webex: Unauthenticated remote compromise (CVE-2026-20184, CVSS 9.8)
Cisco ISE: Multiple critical auth and access control flaws (CVE-2026-20180, CVE-2026-20186, CVE-2026-20147, CVSS 9.9)
Google Chrome: Nearly 150 vulnerabilities patched across two releases, including an actively exploited flaw (CVE-2026-5281, CVSS 8.8)
Adobe Acrobat Reader: Actively exploited document-handling flaws (CVE-2026-34621, CVE-2026-34622, CVSS 8.6)
SAP BPC / Business Warehouse: Critical remote code execution vulnerability (CVE-2026-27681, CVSS 9.9)
Mozilla Firefox v150: Multiple high-severity browser vulnerabilities (CVSS up to 8.1)
Linux Kernel: Actively exploited privilege escalation flaws enabling root compromise (CVE-2026-31431, CVE-2026-43284, CVSS 7.8)
Fortinet FortiClientEMS: Actively exploited endpoint management vulnerabilities (CVE-2026-35616, CVE-2026-21643, CVSS 9.1)
Palo Alto Cloud NGFW: Actively exploited firewall RCE (CVE-2026-0300, CVSS 9.3)
cPanel: Actively exploited unauthenticated RCE on hosting servers (CVE-2026-41940, CVSS 9.8)

[-]

TheJesusGuy@reddit

Keep fighting the good fight

[-]

AnDanDan@reddit

Mike, your pages havent been updated with todays info, only shows April

[-]

porsten@reddit

Try this https://www.action1.com/patch-tuesday/patch-tuesday-may-2026/

[-]

MikeWalters-Action1@reddit

thanks for pointing that out — the page is actually updating in real time. it may have briefly cached older data on your side. you should be seeing today’s info now!

[-]

Geh-Kah@reddit

I got a butthurt domaincontroller on s2019std. In recovery mode I got network. Normal boot no network. Not able to login.

[-]

Top_Incident_3284@reddit

Installed the update, how do I get rid of the "Disconnect" button in the lower left corner of the taskbar? Using a virtual machine in Hyper-V. Windows-button/start menu also missing if it is aligned to the left..

[-]

raresolid@reddit

We need more details. What update? Also what OS is this?

[-]

Top_Incident_3284@reddit

Running Win 11 Enterprise 25H2 build 26200.8390 and installed hotpatch KB5089466

None of my colleagues which also uses hyper-V VMs seems to have this issue after installing the same KB, might be a local issue with my VM.

[-]

Relative_Hippo2549@reddit

Not a comment about patches per se, just a rant. For months I've been trying to get the new guy in the team to join the patching roster. Once a month, one guy does all the patching. And he's been here for like a year, and somehow dodged it.

We actually had another team member retire this year, so we needed him to take his place - or else everyone needs to put in extra shifts. I did Mr. NewGuy's onboarding, so I kept telling him "can you please sign up for the patching roster". He always said 'yeah yeah I'll do it', but every time I check - his name is not there.

Eventually I went to our team lead and said, can you please handle this. And this manager happens to be a decent and competent get-stuff-done human being, so he got Mr. NewGuy rostered!!

... And as soon as NewGuy's first patching round was about to start, he suddenly booked annual leave for 2 weeks.

We still had to cover up for him.

I'm not even mad at this point, I'm mostly impressed with the guy's work avoidance skills. Had he harnessed his talent to actual work, it would have been more useful though.

[-]

No_Aardvark_1145@reddit

Thanks for making me smile 😄

[-]

Double_Situation_979@reddit

Any word on the MS Defender zero-days Red Sun and UnDefend?

[-]

raresolid@reddit

Techvet83 addressed this.

https://www.reddit.com/r/sysadmin/s/g0NqYOtPMQ

[-]

GuessSecure4640@reddit

gif

[-]

Mitchell_90@reddit

No Office patches this month? Don’t see anything listed other than last months.

[-]

YourMomIsADragon@reddit

I'm wondering this as well. The update history doesn't show anything as of yet, but I'm not sure if that's updated in a timely fasion as a rule.

https://learn.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date

[-]

Mitchell_90@reddit

Weird, I Just did a manual check for updates on a machine with M365 monthly enterprise channel and it’s came back as up to date. Build number is still showing the one from April.

MSRC lists security updates for Excel etc and has M365 desktop apps in the applicable section.

[-]

Fabulous_Cow_4714@reddit

Do Offce updates always lag behind Windows updates release times or is Microsoft holding this update back for a reason?

[-]

frac6969@reddit

It's not simultaneous but usually within hours. I see updates for LTSC and 2019 (!), but not yet for 365.

[-]

Raxor@reddit

I hadnt paid too much attention to the monthly updates (monthly enterprise channel) but i thought they came out around the similar time as patch tuesday

[-]

kinglear@reddit

Since some are still having joshtaco withdrawals, here is my impression:

Pushing this out to 30,000 servers, 2,500 of which are DC's, during peak work hours 🚬🚬🚬

[-]

TheCrimsonArmada@reddit

Wait what happened to Joshtaco?

[-]

Own_Back_2038@reddit

He posted off topic stuff in the subreddit, got muted temporarily, and is now throwing a fit about it

[-]

TheCrimsonArmada@reddit

Do you happen to have a link to his tantrum?

[-]

Own_Back_2038@reddit

Here’s a thread discussing it:

https://www.reddit.com/r/sysadmin/comments/1qbzwiu/patch_tuesday_megathread_20260113/nzi46vk/

[-]

timbotheny26@reddit

Honestly, the fact that you're updating servers probably makes you better for update litmus testing since (I believe) joshtaco was only doing workstations.

[-]

fedesoundsystem@reddit

My boss asked for quick ways to get issue reports, so I delivered

[-]

Character-Act-7826@reddit

Pushing this out to 150,000 DCs, 10 million workstations. During peak work hours of course

[-]

sys_127-0-0-1@reddit

That's MS's job!

[-]

schaef87@reddit

Anyone else have only Windows Malicious Software Removal Tool x64 and Defender updates? Or am I too early for once? lol

[-]

DeltaSierra426@reddit

Too early. Should be seeing the CU's now. Yeah?

[-]

schaef87@reddit

Yeah...This was just the earliest I have ever had enough free time to check. lol

[-]

AviationLogic@reddit

Available in Action1, pushing currently.

[-]

Low_Butterscotch_339@reddit

Release time is 10am PST.

May 12, 2026-KB5087051 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 25H2 and Microsoft server operating system 24H2 - Microsoft Support

May 12, 2026—KB5089549 (OS Builds 26200.8457 and 26100.8457) - Microsoft Support

[-]

dcnjbwiebe@reddit

Normal release time is 17:00 UTC.

[-]

Glass_Call982@reddit

It's usually after 1 or 2pm for us.

[-]

blackjaxbrew@reddit

This shit gives me anxiety every month

[-]

EsbenD_Lansweeper@reddit

Here is the Lansweeper summary. Top of the queue is a CVSS 9.1 EoP in Microsoft's Jira and Confluence SSO plug-in, plus four critical RCEs in Word.

[-]

_kinesthetics@reddit

Let's go gambling!

[-]

blacktirion@reddit

So glad that we wait until the Friday after Patch week to push ours... Don't particularly like being a beta tester.

[-]

Spirited-Background4@reddit

Friday? So if something happens somebody has to work weekend 😆

[-]

Away_Worker_4633@reddit

IT Rule: Never break things on Fridays.

[-]

the_lazy_sysadmin@reddit

"Read-only Fridays", is what I've heard this referred to as.

[-]

dracotrapnet@reddit

Heard of it. Sounds magical.

[-]

Away_Worker_4633@reddit

I used this in the past too, but sometimes, changes have to be made to things that are not critical and I am ok with doing those on Fridays as long as it can stay down until Monday.

[-]

oversizedmoosecalf@reddit

Fix Real Issues Delay All YOLOS

[-]

Questionsiaskthem@reddit

I've also heard it called don't f with it Friday.

[-]

Resident-War8004@reddit

Amen

[-]

3percentinvisible@reddit

We patch over Friday night, check Saturday.

[-]

PA_Admin@reddit

I think he means a week from this coming Friday. That's plenty of time for one of us to cave and test for the rest of us... LOL

[-]

cbiggers@reddit

I'd rather download and reboot during production hours than do it off hours on a Friday.

[-]

gregarious119@reddit

“Everyone has a test environment, some also have a production environment”

[-]

DodgyDoughnuts@reddit

Working at an MSP and we have multiple test environments!

[-]

Liquidfoxx22@reddit

Everybody has a test environment, some people are lucky enough to have a totally separate environment to run production in.

[-]

Sufficient-Owl1826@reddit

Rolling out to my test environment right after I finish my coffee. Really hoping nothing catches on fire this time.

[-]

Character-Act-7826@reddit

What happened to the legend joshtaco? This megathread is not the same without our guy.

[-]

lunchm3at@reddit

Moved on, and with the turnover in this space.. fast becoming a faint memory.

[-]

rabbidsmurfs@reddit

Never forget.

[-]

TheLostITGuy@reddit

Forget what?

[-]

lunchm3at@reddit

It's dangerous to go alone! Take this.

[-]

FCA162@reddit

Pushing this update out to 200 Domain Controllers (Win2016/2019/2022/2025) in coming days.
I will update my post with any issues reported.

Happy patching, and may all your reboots be smooth and clean!

[-]

landon_at_automox@reddit

No active exploitation confirmed this month, but a couple of these are worth moving on quickly.

Things that stood out:

CVE-2026-41089: Windows Netlogon RCE (CVSS 9.8) Pre-auth stack overflow on domain controllers. No credentials, no user interaction. Patch all DCs in the same window – half-patched forests aren't a defensible state for a pre-auth DC bug.
CVE-2026-41096: Windows DNS client RCE (CVSS 9.8) Heap overflow via malicious DNS response. Scope is every Windows host issuing DNS queries, not just servers. Workstations behind a compromised resolver are in play.
CVE-2026-40402: Hyper-V guest-to-host escalation (CVSS 9.3) Low-privilege guest to SYSTEM on the host. Microsoft confirmed the security boundary can be traversed. Same-day patch if you have untrusted guest workloads.
macOS Tahoe 26.5 – CVE-2026-28819 Apple shipped Tahoe 26.5 on May 11. Wi-Fi kernel RCE, out-of-bounds write, kernel privileges. Wi-Fi stacks scan for APs even when connected so you don't need to join a hostile network to be exposed.

Linux: Copy-Fail and Dirty Frag need two separate module blocks. Disabling algif_aead does not cover Dirty Frag. Free mitigation scripts on GitHub if you're not an Automox customer: github.com/AutomoxCommunity

Full writeup and podcast episode here: written analysis and Patch Fix Tuesday podcast.

[-]

WorkFoundMyOldAcct@reddit

I missed this.

[-]

MarkTheMoviemaniac@reddit

I apologize if this is a dumb questions but do we know if the fix for the Dom Controller reboot issue is rolled into the May Cumalitive?

[-]

FCA162@reddit

The DC reboot loop issue was solved in an OoB update. So the fix must be included in the May cumulative update.

[-]

jaritk1970@reddit

ZDI Blog:

https://www.zerodayinitiative.com/blog/2026/5/12/the-may-2026-security-update-review

[-]

jaritk1970@reddit

Bleepingcomputer.com links:

https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/

https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5089549-and-kb5087420-cumulative-updates-released/

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5087544-extended-security-update/

[-]

sashalav@reddit

Linux had 4 patch Tuesdays over the last week. Between local kernel exploits and cpanel double mess, and then exim thing -- just yuck. I was this close to saying, "we might as well switch to windows", but that quickly passed when I realized I patched 100of VMs in minutes, and did that before patches were even released. It will be a few more shitty months for linux admins as AI finds new bugs, but then it will be years of smooth sailing ahead.

[-]

BigLeSigh@reddit

Time for the security reporting team to see numbers go brrrrrr

[-]

ItsANetworkIssue@reddit

Push, Break, Roll-back, Repeat!