Hacker-City
Hacker-City
Get the brief
Technology|May 19, 2026|4 min read

Patch Tuesday, May 2026 Edition

AI-powered vulnerability discovery tools like Project Glasswing are driving record-breaking patch releases from major software makers including Microsoft, Apple, Google, Mozilla, and Oracle in May 2026, with Microsoft addressing 118 security flaws including 16 critical vulnerabilities on this month's Patch Tuesday.

#patch-tuesday#security-vulnerabilities#microsoft#apple#google#mozilla#oracle#project-glasswing#ai-security#critical-flaws
K

Krebs on Security

Contributor

Patch Tuesday, May 2026 Edition

May 12, 2026

Artificial intelligence platforms, while equally vulnerable to social engineering as humans, are demonstrating a significant capability in identifying security vulnerabilities within human-created software. This month highlights that capability, as major software companies—including Apple, Google, Microsoft, Mozilla, and Oracle—implement nearly record levels of security fixes and accelerate their patch release schedules.

On the second Tuesday of each month, Microsoft has launched software updates addressing no fewer than 118 security vulnerabilities across its various Windows operating systems and other products. Remarkably, this marks the first Patch Tuesday in almost two years without any fixes for emergency zero-day flaws currently exploited by attackers. Additionally, none of the vulnerabilities addressed in this release had prior disclosures that might have given potential attackers insight into exploit methods.

Among these vulnerabilities, 16 were designated with Microsoft's most severe "critical" classification, indicating that malware or malicious actors could potentially exploit these issues to gain remote control over affected Windows devices with minimal or no user intervention required. Rapid7 has played a crucial role in identifying some of the particularly severe critical vulnerabilities this month, including:

  • CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon allowing an attacker to obtain SYSTEM privileges on the domain controller. No user interaction or privileges are necessary, and the complexity of the attack is low. Patches are available for all Windows Server versions from 2012 onward.
  • CVE-2026-41096: A critical remote code execution (RCE) vulnerability in the Windows DNS client implementation, which merits attention despite Microsoft's assessment of lower exploitation likelihood.
  • CVE-2026-41103: A critical elevation of privilege vulnerability that permits an unauthorized attacker to impersonate an existing user by presenting counterfeit credentials, thus bypassing Entra ID. Microsoft anticipates that exploitation is more likely in this case.

May's Patch Tuesday provides a welcome contrast to April's figures when Microsoft addressed a near-record 167 security flaws. Microsoft is among a select group of tech companies granted access to "Project Glasswing," an advanced AI initiative developed by Anthropic that appears highly effective in revealing security vulnerabilities in code.

Apple, also an early participant in Project Glasswing, generally resolves around 20 vulnerabilities with each iOS security update, according to Chris Goettl, vice president of product management at Ivanti. On May 11, Apple released updates addressing at least 52 vulnerabilities, extending these changes back as far as the iPhone 6s and iOS 15.

In the previous month, Mozilla launched Firefox 150, which resolved an impressive 271 vulnerabilities uncovered during the Glasswing assessment.

"Since the release of Firefox 150.0.0, the team has adopted a more vigorous weekly update cycle for security patches, including the deployment of Firefox 150.0.3 on May Patch Tuesday that resolved three to five CVEs in each release," Goettl noted.

The software development giant Oracle has similarly ramped up its patching cadence due to its collaboration with Glasswing. During its latest quarterly patch update, Oracle addressed at least 450 vulnerabilities, which included over 300 fixes for remotely exploitable and unauthenticated issues. Notably, Oracle announced a transition to a monthly update cycle for critical security issues at the end of April.

On May 8, Google began distributing updates for its Chrome browser that rectified an astonishing 127 security flaws—significantly higher than the 30 vulnerabilities addressed the previous month. Chrome automatically downloads available security updates; however, full installation requires a complete browser restart.

If you experience any anomalies while applying the updates from Microsoft or any other vendors discussed, please feel free to share your experiences in the comments. In the meantime, if you haven't recently backed up your data or drive, doing so prior to updating is advisable. For a detailed examination of the specific Microsoft updates released today, please refer to the inventory provided by the SANS Internet Storm Center.

Share this story

Next story

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A coordinated cross-ecosystem supply chain attack campaign codenamed TrapDoor has distributed credential-stealing malware across npm, PyPI, and Crates.io through over 34 malicious packages targeting developers in crypto, DeFi, Solana, and AI communities.