Microsoft released its May 2026 Patch Tuesday updates on May 12, fixing more than 120 Windows vulnerabilities including critical remote code execution flaws in Office, Word, and Windows DNS. There are no actively exploited zero-days this month, but a known BitLocker recovery issue and the looming June 26 Secure Boot certificate expiration mean York PC owners should not ignore this update.
What Microsoft fixed this month
Microsoft's May 2026 Patch Tuesday delivered security updates for 120 flaws and no zero-days, addressing 17 "Critical" vulnerabilities — 14 remote code execution, 2 elevation of privilege, and 1 information disclosure. For the first time since June 2024, no zero-days were exploited in the wild or publicly disclosed at release.
The update arrives as Windows 11 builds 26200.8457 and 26100.8457 (KB5089549) for versions 25H2 and 24H2 , with the Windows 10 KB5087544 extended security update fixing the same vulnerabilities and resolving an issue with new Remote Desktop warnings.
The most concerning fixes target everyday software. Microsoft fixed numerous vulnerabilities in Microsoft Office, Word, and Excel that could lead to remote code execution. These flaws are exploited by opening malicious files, which can result in remote code execution. As many of these can be exploited via the preview pane, it is strongly advised to update Microsoft Office as soon as possible, especially for users who commonly receive attachments. One of the most severe vulnerabilities patched is CVE-2026-41096 (CVSS score: 9.8), a heap-based buffer overflow flaw impacting Windows DNS that could allow an unauthorized attacker to execute code over a network.
The BitLocker recovery issue to watch for
This month's update fixes a real-world headache that has caught some users off guard. The update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations.
The problem only affects systems using a specific BitLocker Group Policy configuration that includes PCR7 in the TPM validation profile, along with several Secure Boot and boot manager conditions tied to the newer Windows UEFI CA 2023 certificate. As a temporary workaround, Microsoft advises removing the affected Group Policy setting and then suspending and resuming BitLocker to regenerate the default PCR bindings while it works on a permanent fix.
If your PC boots to a blue "BitLocker recovery" screen asking for a 48-digit recovery key, don't panic — but don't guess either. You'll need the recovery key tied to the Microsoft account or work account that set up the drive.
The Secure Boot certificate deadline is approaching
Buried inside this month's release notes is a warning that matters for nearly every Windows PC built in the last decade. Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. Microsoft recommends reviewing the guidance and taking action to update certificates in advance.
The original Secure Boot certificates issued in 2011 and used by most Windows devices built between 2012 and 2025 expire on June 26, 2026. Every Windows device that has not received updated Secure Boot certificates before that date enters a degraded security state the following day. Users should let supported Windows machines install current security updates, avoid interrupting restarts, and pay attention to Secure Boot warnings in Windows Security.
What This Means for York, PA
York-area PC owners should install this month's Windows update soon — especially anyone who opens Word or Excel attachments for work — and avoid interrupting any restarts that follow. If your laptop boots to a BitLocker recovery screen and you don't have the key, bring it into York Computer Repair at 2069 Carlisle Rd and we'll help you sort it out.
Sources
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
- May 12, 2026—KB5089549 (OS Builds 26200.8457 and 26100.8457)
- Microsoft releases Windows 10 KB5087544 extended security update
- Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
- Windows 11: May 2026 Patch Tuesday is live
- May 2026 Microsoft Patch Tuesday | Tenable
- May 2026 Secure Boot Certificate Rollover: One Restart, Big Firmware Risk