Skip to main content
CybersecurityVulnerability Management

AI-Powered Bug Hunts Disrupt Software Giants' Patch Cycles

Brightly-lit laboratory with rows of computer workstations and technical equipment.

Microsoft today released software updates addressing at least 118 security vulnerabilities — and, for the first Patch Tuesday in nearly two years, none of those fixes were to remediate emergency zero-day flaws already being exploited in the wild.

Microsoft: 118 fixes, 16 rated “critical”

As it does on the second Tuesday of every month, Microsoft published a batch of security updates covering at least 118 distinct vulnerabilities across Windows and other products. Sixteen of those received Microsoft’s highest “critical” severity label, meaning remote code execution or similar attacks could allow an adversary to seize control of a vulnerable system with little or no user interaction. Notably, Microsoft said none of the flaws patched today had previously been publicly disclosed, and this Patch Tuesday did not include fixes for actively exploited zero-days — a contrast with April’s near‑record 167‑flaw release.

Rapid7-flagged CVEs to watch

Security vendor Rapid7 identified several of the most concerning critical bugs in this round. The highlights they surfaced include:

  • CVE-2026-41089 — a critical stack-based buffer overflow in Windows Netlogon that can deliver SYSTEM privileges on a domain controller. According to Rapid7’s write-up reproduced in the reporting, no privileges or user interaction are required and attack complexity is low. Microsoft provides patches for Windows Server versions from 2012 onward.
  • CVE-2026-41096 — a critical remote code execution in the Windows DNS client implementation. Microsoft assessed exploitation as less likely, but Rapid7 flagged it for attention.
  • CVE-2026-41103 — a critical elevation-of-privilege vulnerability that allows an attacker to impersonate an existing user by presenting forged credentials and thereby bypass Entra ID. Microsoft expects exploitation of this flaw is more likely.

For a more granular inventory of the Microsoft updates released today, consult the SANS Internet Storm Center’s list linked in the original advisory.

Anthropic’s Project Glasswing reshapes vendor patch cadence

Anthropic’s Project Glasswing — an AI capability that several major vendors had access to — appears to have accelerated discovery and the cadence of patches. Microsoft, Apple, Google, Mozilla and Oracle were among the companies given access to Glasswing. The downstream effects reported this month include:

  • Apple shipped iOS 15 on May 11 and “addressed at least 52 vulnerabilities and backported the changes all the way to iPhone 6s and iOS 15,” a notable breadth of support for older devices.
  • Mozilla’s Firefox 150 resolved 271 vulnerabilities reportedly discovered during the Glasswing evaluation. Chris Goettl, vice president of product management at Ivanti, said, “Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for security updates including the release of Firefox 150.0.3 on May Patch Tuesday resolving between three to five CVEs in each release.”
  • Oracle increased its patch pace after its Glasswing work: its most recent quarterly update fixed at least 450 flaws, including more than 300 remotely‑exploitable, unauthenticated flaws. At the end of April Oracle announced it was switching to a monthly update cycle for critical security issues.
  • Google began rolling out Chrome updates on May 8 that fixed 127 security flaws — up from 30 the previous month. Chrome “automagically downloads available security updates,” the report notes, but installing them requires a full restart of the browser.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Expect a faster, less predictable cadence of vulnerability disclosures and vendor patches as AI tools like Project Glasswing uncover more issues. The arrival of 16 critical Microsoft fixes and Rapid7’s flagged CVEs means prioritization and coordination around domain controllers, DNS clients and Entra ID-related patches should command attention.
  • Affected enterprises and procurement leaders: Vendor behaviors are changing — Oracle’s move to monthly critical updates and Apple’s decision to backport fixes to older iPhones are concrete operational shifts reported this month. Enterprises will need to account for more frequent releases and altered patch windows when negotiating maintenance and testing schedules.
  • End users and the general public: Chrome will download updates automatically but requires a full browser restart to apply them; Apple has released a broad iOS 15 update that includes fixes for at least 52 vulnerabilities and extends to older devices. Reporters advise backing up data and drives before updating, a practical step mentioned in the coverage.

Conclusion

This month’s patch activity shows two linked trends: large vendors are racing to remediate a surging number of flaws, and AI-assisted discovery — exemplified by Anthropic’s Project Glasswing — is changing the tempo and scale of those discoveries. Microsoft’s Patch Tuesday offered a relative breathing space by not including emergency zero‑day fixes, but the presence of 16 critical bugs and Rapid7’s highlighted CVEs underscores that the operational pressure on defenders remains acute. For teams and users alike, the immediate task is clear in the reporting: take inventory of critical updates, note vendor cadence changes such as Oracle’s monthly switch and Chrome’s restart requirement, and consult the linked inventories for the technical details needed to act.

https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/