Patch Tuesday – May 2026: A Big Month for Security Fixes

Artificial intelligence may be vulnerable to social engineering just like humans, but it’s proving exceptionally good at uncovering flaws in human‑written code. That dynamic is on full display this month as major software vendors — Apple, Google, Microsoft, Mozilla, and Oracle — push out unusually large batches of security updates and accelerate their patch cycles.

Microsoft: 118 Vulnerabilities Fixed, No Zero‑Days for the First Time in Nearly Two Years

Microsoft’s May Patch Tuesday

Microsoft’s May Patch Tuesday includes 118 security fixes across Windows and related products. Surprisingly, none of the vulnerabilities were publicly disclosed beforehand, and none are known to be under active attack — a rare break after nearly two years of monthly zero‑day emergencies.

Sixteen of the flaws are rated critical, meaning attackers could potentially take over a system with minimal user interaction. Security firm Rapid7 highlighted several high‑risk issues:

• CVE‑2026‑41089: A severe buffer overflow in Windows Netlogon that allows attackers to gain SYSTEM‑level control of a domain controller. No privileges required.
• CVE‑2026‑41096: A remote‑code execution flaw in the Windows DNS client. Microsoft says exploitation is less likely, but the impact is significant.
• CVE‑2026‑41103: An elevation‑of‑privilege bug enabling attackers to impersonate users and bypass Entra ID. Microsoft considers exploitation more likely.

This month’s lighter load follows April’s near‑record 167 fixes, many of which were discovered using Project Glasswing, Anthropic’s AI‑powered vulnerability‑hunting system.

Apple: iOS 15 Update Fixes 52 Vulnerabilities

Apple’s May iOS 15 security update

Apple, also an early Glasswing partner, typically patches around 20 issues per iOS release. But the May 11 iOS 15 update addressed 52 vulnerabilities, with fixes backported all the way to the iPhone 6s — a notable commitment to older devices.

Mozilla: Firefox 150 Uncovers 271 Vulnerabilities

Firefox 150 security fixes

Mozilla’s April release of Firefox 150 included a staggering 271 security fixes, many reportedly identified during the Glasswing evaluation. Since then, Mozilla has shifted to a weekly security‑update cadence, with Firefox 150.0.3 landing on Patch Tuesday and addressing several more CVEs.

Oracle: Moving to Monthly Critical Updates

Oracle’s new update cadence

Oracle’s most recent quarterly update patched 450 vulnerabilities, including 300+ remotely exploitable issues. Following its Glasswing work, Oracle announced it will now release monthly updates for critical security flaws — a major shift for the company.

Google: Chrome Update Fixes 127 Security Issues

Chrome’s May security release

On May 8, Google began rolling out a Chrome update containing 127 security fixes, a huge jump from the 30 addressed in April. Chrome downloads updates automatically, but users must restart the browser to activate them.

Before You Patch: Back Up Your Data

Backup and patching best practice

If you run into problems applying updates from Microsoft or any other vendor, you’re not alone — and backing up your system beforehand is always smart. For a deeper dive into Microsoft’s May patches, the SANS Internet Storm Center has a detailed breakdown.

Optional versions you can create from this content

• A shorter summary
• A version optimized for LinkedIn or a company newsletter
• A more technical breakdown for IT/security teams
• A headline‑driven version for a blog