Microsoft released software updates for 118 security vulnerabilities across Windows operating systems and other products on May's Patch Tuesday, the second Tuesday of the month. This marks the first time in nearly two years the company did not ship fixes for emergency zero-day flaws already under active exploitation.
The 118 fixes included 16 critical vulnerabilities. These bugs allow attackers to take remote control of a Windows device with little user interaction. None of the flaws fixed today were publicly known before the patch release.
Rapid7 identified several critical weaknesses. CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon, grants SYSTEM privileges on domain controllers without user interaction or prior access. This vulnerability has low attack complexity. Patches are available for Windows Server 2012 and later.
Another critical flaw, CVE-2026-41096, is a remote code execution (RCE) in the Windows DNS client. Microsoft assesses exploitation as less likely, but it still warrants attention. CVE-2026-41103, an elevation of privilege bug, lets unauthorized attackers impersonate existing users with forged credentials, bypassing Entra ID. Microsoft expects this flaw is more likely to be exploited.
Artificial intelligence platforms show promise in identifying security vulnerabilities within computer code. Many major software makers have accelerated their patch releases, or fixed record volumes of bugs, after using AI tools.
Microsoft was among the tech companies given access to "Project Glasswing," an AI capability developed by Anthropic. This tool appears effective at unearthing code vulnerabilities. Last month, Microsoft fixed 167 security flaws, a near-record number.
Apple, another early participant in Project Glasswing, shipped updates on May 11 to address at least 52 vulnerabilities. These changes were backported to devices as old as iPhone 6s and iOS 15. Chris Goettl, vice president of product management at Ivanti, said Apple typically fixes an average of 20 vulnerabilities per iOS security update.
Mozilla released Firefox 150 last month, resolving 271 vulnerabilities. Reports indicate Project Glasswing discovered many of these. Since Firefox 150.0.0, Mozilla has maintained a more aggressive weekly cadence for security updates. Firefox 150.0.3, released on May Patch Tuesday, resolved three to five CVEs.
Oracle recently increased its patch pace following its work with Glasswing. Its most recent quarterly patch update addressed at least 450 flaws. More than 300 of these fixes were for remotely exploitable, unauthenticated vulnerabilities. Oracle announced a switch to a monthly update cycle for critical security issues at the end of April.
Google began rolling out updates for its Chrome browser on May 8. These updates fixed 127 security flaws, a significant jump from 30 the previous month. Chrome downloads security updates automatically, but users must restart the browser to install them fully.
Users should back up their data and drives before applying system updates. For a detailed inventory of Microsoft's updates released today, consult the SANS Internet Storm Center.