Microsoft’s May 2026 Patch Tuesday delivers fixes for 118 security vulnerabilities across Windows and related products, marking the first Patch Tuesday in nearly two years without an actively exploited zero-day in the release. None of the patched flaws had been previously disclosed, removing any advance warning attackers might have used to develop exploits.

Critical Vulnerabilities This Month

Sixteen of the 118 vulnerabilities received Microsoft’s most severe “critical” rating, meaning they could allow remote code execution or privilege escalation with minimal or no user interaction. Security firm Rapid7 highlighted three issues of particular concern:

  • CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon granting SYSTEM-level privileges on a domain controller. No privileges or user interaction are required, and attack complexity is rated low. Patches cover all Windows Server versions from 2012 onward.
  • CVE-2026-41096: A critical remote code execution flaw in the Windows DNS client. Microsoft rates exploitation as less likely, but the component’s ubiquity warrants attention.
  • CVE-2026-41103: A critical elevation of privilege vulnerability allowing an unauthorized attacker to impersonate existing users via forged credentials, bypassing Entra ID. Microsoft considers exploitation more likely for this flaw.

AI-Assisted Discovery Driving Record Patch Volumes Industry-Wide

The broader context for this month’s elevated patch volumes is an AI vulnerability-discovery capability called Project Glasswing, developed by Anthropic and shared with a select group of technology companies including Microsoft, Apple, Mozilla, Google, and Oracle. The tool appears highly effective at surfacing security weaknesses in code at a scale difficult to achieve through traditional manual review.

The downstream effects are visible across the industry. Apple, which typically patches around 20 iOS vulnerabilities per update cycle, shipped fixes for at least 52 vulnerabilities on May 11, backporting changes as far back as iOS 15 and the iPhone 6s. Mozilla released Firefox 150 resolving 271 vulnerabilities attributed to the Glasswing evaluation, and has since moved to an aggressive weekly security update cadence, with Firefox 150.0.3 shipping on this Patch Tuesday resolving an additional three to five CVEs.

Oracle addressed at least 450 flaws in its most recent quarterly update, including more than 300 remotely exploitable, unauthenticated vulnerabilities, and subsequently announced a shift to a monthly patch cycle for critical security issues. Google pushed a Chrome browser update on May 8 addressing 127 security flaws, a sharp increase from the 30 fixed the previous month. Chrome downloads updates automatically but requires a full browser restart to apply them.

Patch Guidance

May’s release is a meaningful improvement over April, when Microsoft fixed a near-record 167 vulnerabilities. Security teams should prioritize the Netlogon and Entra ID flaws given their low attack complexity and high potential impact. As always, backing up data before applying updates is advisable. The SANS Internet Storm Center maintains a detailed inventory of this month’s Microsoft patches for those requiring a granular breakdown.