Microsoft and Major Vendors Patch Record Vulnerabilities
Per Krebs on Security, the May 2026 Patch Tuesday cycle saw Microsoft release updates addressing at least 118 security vulnerabilities across Windows and other products. Krebs reports 16 of those flaws carried Microsoft's highest "critical" severity, and this is the first Patch Tuesday in nearly two years without fixes for active zero-day exploitation. Krebs cites security firm Rapid7 in highlighting several high-risk bugs, including a stack-based buffer overflow in Windows Netlogon that can yield SYSTEM privileges on domain controllers and a remote code execution issue in the Windows DNS client. Krebs also reports that companies including Apple, Google, Mozilla, and Oracle moved to fix large volumes of bugs, and that some vendors had access to Project Glasswing, an Anthropic AI capability Krebs describes as effective at surfacing code vulnerabilities.
What happened
Per Krebs on Security, the May 2026 Patch Tuesday cycle included security updates from multiple major vendors. Microsoft published patches addressing at least 118 vulnerabilities, of which 16 were labeled "critical," Krebs reports. Krebs further reports this is the first Patch Tuesday in nearly two years without fixes for active zero-day exploits. Krebs cites security firm Rapid7 as identifying several high-risk issues, including a stack-based buffer overflow in Windows Netlogon that can grant SYSTEM privileges on domain controllers, a remote code execution bug in the Windows DNS client, and an elevation-of-privilege flaw that can bypass Entra ID authentication.
Technical details
Per the coverage in Krebs on Security and reporting attributed to Rapid7, the Netlogon bug is a stack-based buffer overflow with low attack complexity and no required user interaction, and Microsoft has released patches for Windows Server versions from 2012 onward, Krebs reports. Krebs also notes a critical RCE in the Windows DNS client and a critical elevation-of-privilege vulnerability that involves forged credentials and Entra ID; Microsoft assessed exploitation likelihood differently across those bugs, Krebs reports.
Industry context
Editorial analysis: Industry reporting from Krebs places this month's elevated patch volumes alongside broader trends where AI-assisted tools are accelerating discovery of flaws. Krebs reports that several large vendors, including Apple, Google, Mozilla, and Oracle, issued sizable updates this cycle, and that Apple typically fixes an average of 20 vulnerabilities per iOS security update, per Krebs. Krebs also reports that a "few dozen" tech companies had access to Project Glasswing, an AI capability developed by Anthropic that Krebs describes as effective at unearthing security vulnerabilities in code.
What to watch
Editorial analysis: Observers and security teams should track whether AI-assisted discovery continues to raise monthly patch counts and whether vendors change release cadence, per the pattern Krebs documents. Also monitor vendor advisories for exploit telemetry and mitigation guidance for the specific Windows bugs Rapid7 highlighted, and watch for follow up reporting on Project Glasswing disclosures and any broader community access or defensive tooling that incorporates AI-derived findings.
Scoring Rationale
This Patch Tuesday is notable for the high volume of fixes and multiple critical Windows flaws, plus reporting that AI tools like `Project Glasswing` are surfacing vulnerabilities. The story matters to practitioners managing patching and threat detection, but it is not a paradigm shift for the field.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
