Microsoft and Major Vendors Patch Record Vulnerabilities
Per Krebs on Security, the May 2026 Patch Tuesday cycle saw Microsoft release updates addressing at least 118 security vulnerabilities across Windows and other products. Krebs reports 16 of those flaws carried Microsoft's highest "critical" severity, and this is the first Patch Tuesday in nearly two years without fixes for active zero-day exploitation. Krebs cites security firm Rapid7 in highlighting several high-risk bugs, including a stack-based buffer overflow in Windows Netlogon that can yield SYSTEM privileges on domain controllers and a remote code execution issue in the Windows DNS client. Krebs also reports that companies including Apple, Google, Mozilla, and Oracle moved to fix large volumes of bugs, and that some vendors had access to Project Glasswing, an Anthropic AI capability Krebs describes as effective at surfacing code vulnerabilities.
What happened
Per Krebs on Security, the May 2026 Patch Tuesday cycle included security updates from multiple major vendors. Microsoft published patches addressing at least 118 vulnerabilities, of which 16 were labeled "critical," Krebs reports. Krebs further reports this is the first Patch Tuesday in nearly two years without fixes for active zero-day exploits. Krebs cites security firm Rapid7 as identifying several high-risk issues, including a stack-based buffer overflow in Windows Netlogon that can grant SYSTEM privileges on domain controllers, a remote code execution bug in the Windows DNS client, and an elevation-of-privilege flaw that can bypass Entra ID authentication.
Technical details
Per the coverage in Krebs on Security and reporting attributed to Rapid7, the Netlogon bug is a stack-based buffer overflow with low attack complexity and no required user interaction, and Microsoft has released patches for Windows Server versions from 2012 onward, Krebs reports. Krebs also notes a critical RCE in the Windows DNS client and a critical elevation-of-privilege vulnerability that involves forged credentials and Entra ID; Microsoft assessed exploitation likelihood differently across those bugs, Krebs reports.


