Microsoft patches 120 flaws

Microsoft’s monthly patch bundle is back, and this one is less about panic than discipline. On May 12, Microsoft shipped fixes for 120 security flaws across its product stack, including Windows, Office, Azure, Visual Studio, Remote Desktop Client, and Defender for Endpoint. The big relief is what was not in the release — no zero-days, and no bugs marked as publicly disclosed before the fixes landed. But “quiet month” does not mean “small deal,” because some of the riskiest work here is buried in the Windows servicing details. ### What actually got fixed? Microsoft’s May release covers 120 CVEs in total. BleepingComputer’s breakdown counts 11 Critical bugs, 107 Important ones, one Moderate, and one Low. The largest buckets were remote code execution, privilege escalation, and information disclosure — the usual trio that keeps defenders busy because attackers can chain them together. (bleepingcomputer.com) ### Why does “no zero-days” matter? A zero-day means defenders are already behind — either the bug is being exploited or the details are already out in public before most systems are patched. That did not happen this month. Compared with April 2026, when Microsoft fixed 167 flaws including two zero-days, May looks calmer and more manageable for IT teams trying to prioritize patch windows. (bleepingcomputer.com) ### Which bugs look nastiest? The sharp end of this release is remote code execution. Microsoft’s update set includes 11 Critical vulnerabilities, and those are the ones security teams usually triage first because they can let an attacker run code from afar. Even without a zero-day, that class of bug is the one most likely to turn a routine patch cycle into an urgent one if exploit code appears later. That’s the catch with Patch Tuesday — “not exploited yet” is not the same thing as “safe to delay.” (bleepingcomputer.com) ### What changed for Windows 11? Windows 11 got cumulative update KB5089549 for versions 24H2 and 25H2, bringing OS builds 26100.8457 and 26200.8457. Microsoft says it folds in the month’s security fixes plus the non-security changes from the April preview release. So if you follow Windows closely, this is the security vehicle that also carries the smaller usability tweaks people noticed earlier. (bleepingcomputer.com) ### Why is the Windows 10 update more interesting than it looks? Windows 10’s KB5087544 is not just another cumulative update. Microsoft’s support notes tie it to Secure Boot certificate work ahead of a June 2026 certificate expiration. Basically, Windows is preparing eligible devices to receive newer Secure Boot certificates so machines can keep validating the boot chain properly. That is the kind of maintenance task users barely notice — until it goes wrong and suddenly a fleet has boot or recovery problems. (support.microsoft.com) ### Is there any known snag? Yes — Microsoft flags a known issue where some devices with a specific, non-recommended BitLocker group policy setup may be prompted for a BitLocker recovery key after the update’s first restart. The affected setup is narrow and mostly relevant to managed enterprise environments, but it is exactly the sort of edge case admins need to check before broad deployment. (support.microsoft.com) ### So what’s the real takeaway? This was a lighter Patch Tuesday in headline terms, but a very normal one in real-world security terms. No zero-days buys defenders breathing room. The boot-certificate work and BitLocker caveat are the reminder that patching is not just “install fixes” — it is systems hygiene, compatibility testing, and boring operational competence. That boring part is the job. (bleepingcomputer.com) (support.microsoft.com)