AI-Assisted Vulnerability Discovery Drives Record Patch Volumes: Microsoft, Apple, Mozilla Ship Urgent Fixes

Microsoft Releases 118 Patches in May 2026 Patch Tuesday; No Zero-Day Exploits Seen

Microsoft today issued software updates addressing at least 118 security vulnerabilities across Windows and its product suite, marking the first Patch Tuesday in nearly two years without any emergency fixes for actively exploited zero-day flaws. None of the flaws resolved today were previously disclosed, reducing the risk of attackers leveraging known weaknesses.

Sixteen of the vulnerabilities are rated ‘critical,’ meaning attackers could remotely take control of a Windows device with minimal user interaction. Among the most concerning is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that grants SYSTEM privileges on domain controllers without requiring authentication or user action. Patches cover Windows Server 2012 and later versions.

“This month’s absence of in-the-wild exploits is a welcome shift, but the sheer volume of critical bugs underscores the challenge of securing modern systems,” said Chris Goettl, vice president of product management at Ivanti, in a statement.

Other critical flaws include CVE-2026-41096, a remote code execution vulnerability in the Windows DNS client that Microsoft assesses as less likely to be exploited, and CVE-2026-41103, an elevation-of-privilege issue in Entra ID that could allow an attacker to impersonate users by forging credentials. Microsoft expects exploitation of the latter to be more probable.

Apple and Mozilla Also Ship Large Update Batches

Apple released iOS 15 on May 11, addressing at least 52 vulnerabilities—more than double its typical update count—and backported fixes to devices as old as the iPhone 6s running iOS 15. “Apple usually fixes an average of 20 vulnerabilities per iOS release, so 52 signals something significant,” noted Goettl.

Mozilla’s Firefox 150, released last month, resolved 271 vulnerabilities, many discovered during an evaluation of Project Glasswing—a high-profile AI system developed by Anthropic. Mozilla has since adopted a more aggressive weekly patching cadence. The company declined to comment on whether the Glasswing findings are directly responsible for the accelerated schedule.

Background

Patch Tuesday is Microsoft’s monthly cycle for releasing security updates, typically on the second Tuesday. This May’s release is a reprieve from April, when Microsoft fixed a near-record 167 flaws. The uptick in vulnerability discovery across vendors correlates with the adoption of AI-assisted scanning tools like Project Glasswing, which Anthropic has made available to a select group of tech giants including Apple, Google, and Microsoft.

Project Glasswing, described as an advanced AI capability, has proven effective at identifying previously missed vulnerabilities in human-written code. Its use is now reshaping how software vendors approach patching, driving larger-than-usual update bundles.

What This Means

Organizations must immediately prioritize deployment of this month’s patches, particularly the Netlogon and Entra ID fixes. The shift to AI-powered vulnerability analysis means patch volumes may continue to rise as hidden flaws are unearthed.

While AI is proficient at finding bugs, it can also be manipulated—raising concerns about social engineering attacks against AI systems themselves. For now, the net effect is a more secure software ecosystem, but only if users apply updates promptly.