May 2026 Patch Tuesday Overview
Artificial intelligence platforms are proving to be highly effective at finding security vulnerabilities in human-made computer code, as evident from the record volume of security patches released by major software vendors this month. Microsoft, Apple, Google, Mozilla, and Oracle have all addressed significant numbers of security bugs, with some quickening the tempo of their patch releases.
On the second Tuesday of May, Microsoft released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Notably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Additionally, none of the flaws fixed today were previously disclosed, which could have given attackers a heads up on how to exploit the weaknesses.
Microsoft Patch Tuesday Details
Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Some of the critical weaknesses include:
- CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
- CVE-2026-41096: A critical RCE in the Windows DNS client implementation worthy of attention despite Microsoft assessing exploitation as less likely.
- CVE-2026-41103: A critical elevation of privilege vulnerability that allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely.
Other Vendors' Patch Releases
May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws. Other vendors have also released significant patches this month. Apple, for example, shipped updates to address at least 52 vulnerabilities and backported the changes all the way to iPhone 6s and iOS 15. Mozilla released Firefox 150, which resolved a whopping 271 vulnerabilities that were reportedly discovered during the Glasswing evaluation.
Oracle likewise recently increased its patch pace in response to their work with Glasswing. In its most recent quarterly patch update, Oracle addressed at least 450 flaws, including more than 300 fixes for remotely exploitable, unauthenticated flaws. Google started rolling out updates to its Chrome browser that fixed an astonishing 127 security flaws, up from just 30 the previous month.
Conclusion and Recommendations
The record volume of security patches released this month highlights the importance of keeping software up to date. Users are advised to apply the updates as soon as possible and to back up their data and drives before doing so. For a more granular look at the Microsoft updates released today, checkout the inventory by the SANS Internet Storm Center.
If you encounter any issues applying the updates from Microsoft or any other vendor mentioned here, feel free to sound off in the comments below. Meanwhile, if you haven’t backed up your data and/or drive lately, doing that before updating is generally sound advice.
Source: Krebs on Security