AI-Powered Bug Hunting Drives Record Patch Volumes in May 2026 Patch Tuesday

Microsoft Releases 118 Fixes, but Zero-Day Exploits Vanish for First Time in Two Years

Microsoft today released software updates addressing at least 118 security vulnerabilities across Windows and other products, marking a significant milestone: it is the first Patch Tuesday in nearly two years that the company did not ship any emergency fixes for zero-day flaws already under active attack. None of the vulnerabilities patched this month had been publicly disclosed prior to the release, reducing the risk of targeted exploitation.

Sixteen of the flaws are rated critical, meaning attackers could remotely execute code or gain full control of a vulnerable device with minimal user interaction. Among the most concerning is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that grants SYSTEM privileges on domain controllers without requiring authentication or user action. Rapid7 security researchers flagged this as a high-priority target.

Additional Critical Vulnerabilities to Note

• CVE-2026-41096: A critical remote code execution flaw in the Windows DNS client, though Microsoft assesses exploitation as less likely.
• CVE-2026-41103: A critical elevation of privilege vulnerability that allows an attacker to impersonate users by forging credentials, bypassing Entra ID. Microsoft expects exploitation to become more likely.

“While the volume may not be record-breaking, the absence of zero-days is a welcome reprieve,” said Chris Goettl, vice president of product management at Ivanti. “But the critical severity of several bugs, especially those affecting authentication systems, demands immediate attention from IT teams.”

Background: AI from Project Glasswing Accelerates Discovery

This month’s patch wave is heavily influenced by a novel AI vulnerability discovery platform, Project Glasswing, developed by Anthropic. A small group of major technology companies — including Microsoft, Apple, and Mozilla — were granted early access to the AI system, which has proven remarkably effective at finding security bugs in human-written code.

Apple, which typically fixes around 20 vulnerabilities per iOS update, shipped patches for at least 52 flaws on May 11 and backported them as far back as the iPhone 6s running iOS 15. Mozilla’s Firefox 150, released last month, resolved a staggering 271 vulnerabilities — nearly all discovered during the Project Glasswing evaluation. Since that release, Mozilla has shifted to a weekly security update cadence.

“Artificial intelligence platforms may be just as susceptible to social engineering as humans, but they are proving extraordinarily good at finding weaknesses in code,” noted Goettl. “Project Glasswing has changed the tempo of patch releases across the industry.”

What This Means for Organizations

The rapid acceleration of vulnerability discovery driven by AI means IT departments face a new reality: patch volumes will likely remain elevated, and the window for remediation will shrink. While no zero-days were exploited this month, the critical nature of several flaws — especially those targeting domain controllers and authentication systems — makes timely patching essential.

Organizations should prioritize deploying updates for CVE-2026-41089 and CVE-2026-41103, as they enable privilege escalation and impersonation without user interaction. The shift toward weekly updates from vendors like Mozilla and Apple also requires a more agile patch management process.

“The era of AI-powered vulnerability hunting is here,” said Goettl. “It’s good for security overall, but it demands that defenders stay even more vigilant with their patching cadence.”

This is a developing story. Check back for updates on additional patches from Google, Oracle, and other vendors.