#PatchTuesday 2026-05
Patching experience in my test lab (#homelab).
Windows 11 - No issues on any test machines / VMs.
Windows 10 - No issues on any test machines / VMs.
Windows Server 2016 - Normal, Servicing Stack Update (KB5088064).
Windows Server 2019 - Normal, uneventful.
Windows Server 2022 - Normal, uneventful.
Windows Server 2025 - Normal, uneventful.
🤡 Windows boot partition runs out of space for Microsoft's May security update
「 The problem is related to the EFI System Partition (ESP), which is usually where the device boots from. Its minimum size is 200 MB, and the operating system manages it. However, if there is 10 MB or less free space, then the update might fail with a 0x800f0922 error code and the helpful message 」
⚠️ KB5089549 refuse de s’installer sur Windows 11 ? Voici les solutions
👉 https://www.justgeek.fr/kb5089549-erreur-0x800f0922-windows-11-150633/
Zero Zero-Days.
https://na3niel.substack.com/p/zero-zero-days
May 12, 2026. Microsoft #PatchTuesday. Official #zeroday count: 0.
Same day. A researcher dropped two.
This is a field report on who's counting, and what they count.
Here's what others were doing.
Google pays $17.1 million a year in bug bounties — HackerOne's all-time annual record. Project Zero applies a 90-day public disclosure rule to every vendor. Including Google itself. In 2025 they added one more thing: they now publish the discovery date and the deadline before the patch even exists. The clock is public. The world knows it's running.
Apple had no public #bugbounty before 2020. The community noticed. They launched one. $35M paid, 800+ researchers credited over five years. October 2025: top reward doubled to $2M. $1,000 floor added for low-impact, first-time reports. Their stated reason: "we want researchers to have an encouraging experience."
Meta has paid a minimum of $500 per report since 2011. Not contingent on severity. Not contingent on final triage. The researcher showed up. The $500 ships.
OpenAI launched Daybreak in May 2026. An AI-powered vuln detection tool handed directly to external researchers. A tool to find problems with their own products. Given to the people looking for problems.
Anthropic's policy, as written: "We fully support researchers' right to publicly disclose vulnerabilities they discover."
xAI: March 2, 2025. A developer committed an .env file — API keys included — to a public GitHub repo. GitGuardian found it the same day. Sent an alert. No action followed.
Two months later, an independent researcher found the same key still active. GitGuardian reinvestigated. Still valid. No security.txt at xAI's domain. HackerOne contact for X: expired since January 2024, unrenewed. xAI's reply: "Please submit to HackerOne." The repo was deleted. No update sent. The fix happened silently, out of bounds of the process that found the problem.
And then there's Microsoft.
November 2, 2023 — Secure Future Initiative: "Security above all else."
April 2026 — Zero Day Quest 2026: "Zero Day Quest remains a core part of our ongoing partnership with the security research community." $2.3M awarded.
April 2 — BlueHammer published. #CVE-2026-33825 issued. Patched. Real exploitation observed by April 10.
April 16 — RedSun published. Live exploitation observed: compromised FortiGate VPN credentials, Russian IP, hands-on-keyboard operator. No #CVE issued. Patch quietly shipped. No announcement.
May 12, Patch Tuesday — Official zeroday count: 0.
May 12, same day — Chaotic Eclipse dropped YellowKey (#BitLocker bypass, Windows 11 / Server 2022/2025) and GreenPlasma (privilege escalation to SYSTEM).
The researcher's note: "Microsoft silently patched the RedSun vulnerability." "There will be a big surprise on June 9."
Microsoft's statement: "We support coordinated vulnerability disclosure — a broadly adopted industry practice that ensures issues are carefully investigated and addressed before being publicly disclosed."
The researcher didn't ask for money. Didn't ask for credit. Asked to be seen.
The mirror is there. No one has to look.
Full piece: what a silent patch does to the count — why CVE-based tooling is structurally blind to exactly this — the economics of recognition vs. money in the research community — Ballmer, 2001, and the distance between the stage and the MSRC triage queue — what to do instead of trusting the count.
All sources and related URLs are in the Substack post.
https://winbuzzer.com/2026/05/15/mystery-microsoft-bug-leaker-keeps-the-zero-days-c-xcxwbn/
Two more Windows zero-day claims have surfaced: YellowKey targets pre-boot BitLocker exposure, while GreenPlasma points to post-compromise privilege escalation.
#YellowKey #GreenPlasma #Microsoft #ZeroDay #PatchTuesday #BitLocker #Windows11 #Cybersecurity
Oh cool. A 9.9 score on the new critical code injection vulnerability for Microsoft Dynamics 365 on-prem servers. RCE with a scope change.🥳
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898
📰 Microsoft's May Patch Tuesday: 137 Flaws Fixed, Including Critical Netlogon RCE
Microsoft's May Patch Tuesday is huge: 137 vulnerabilities fixed, 30 critical. No zero-days for the first time in 22 months! 🚨 Key patches for critical RCEs in Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096). Patch now! ✅ #PatchTuesday
📰 SAP Patches Critical Flaws in Commerce Cloud and S/4HANA with 9.6 CVSS Score
🚨 SAP has released critical patches for Commerce Cloud (CVE-2026-34263) and S/4HANA (CVE-2026-34260). Both flaws are rated 9.6 CVSS and could lead to system takeover. Patch immediately! #SAP #CyberSecurity #Vulnerability #PatchTuesday
tw000
jbz
JustGeek
Na3Niel
Winbuzzer
Jukka Niiranen
OffSequence
CyberNetsecIO
CVEDatabase.com