← BACK TO FEED
Patch TuesdayMicrosoftProject Glasswingvulnerability disclosurebrowser security

AI Bug-Hunting Is Breaking Patch Records Across the Industry

Microsoft's May 2026 Patch Tuesday addressed 118 security vulnerabilities, including 16 critical flaws, but notably contained no zero-day exploits — a rare occurrence in nearly two years. The surge in patching activity across major tech companies, including Apple, Google, Mozilla, and Oracle, is largely attributed to "Project Glasswing," an AI vulnerability-detection tool developed by Anthropic that has proven highly effective at identifying security flaws in code. The tool has dramatically increased the volume and pace of security patches industry-wide, with Mozilla fixing 271 vulnerabilities in Firefox 150 and Google patching 127 Chrome flaws in a single update.

Something is clearly different about 2026's patch cycle. Apple, Google, Microsoft, Mozilla, and Oracle are all shipping security fixes at either record volumes or dramatically increased frequency, and the common thread running through all of it is an AI vulnerability-hunting tool called Project Glasswing, developed by Anthropic.

The short version: AI is apparently very good at finding holes in code that humans have missed for years. Whether that's reassuring or alarming probably depends on how much unpatched software you're running.

Microsoft's May Patch Tuesday landed with 118 CVEs, which sounds like a lot until you remember that April's count hit a near-record 167. Sixteen of this month's fixes carry Microsoft's "critical" rating, though there's one genuinely welcome piece of news buried in there: for the first time in almost two years, none of the flaws being patched are zero-days under active exploitation. No previously disclosed bugs either, which means attackers haven't had a head start this month.

That said, a few of the critical issues deserve attention. CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon that hands an unauthenticated attacker SYSTEM-level privileges on a domain controller. No user interaction needed, low attack complexity. Bad combination. Patches cover Windows Server 2012 onwards. CVE-2026-41096 is a remote code execution flaw in the Windows DNS client that Microsoft considers less likely to be exploited, though Rapid7 flags it as worth watching regardless. CVE-2026-41103 is an elevation of privilege bug that lets an attacker impersonate a legitimate user via forged credentials, effectively walking around Entra ID. Microsoft thinks exploitation here is the more likely scenario.

Outside of Microsoft, the volume numbers get almost absurd. Apple, also an early Glasswing participant, typically patches around 20 iOS vulnerabilities per update cycle. On May 11 it shipped fixes for 52 flaws, and backported the patches all the way to the iPhone 6s running iOS 15. That's a significant reach.

Mozilla's Firefox 150 resolved 271 vulnerabilities, reportedly surfaced through the Glasswing process. Since that release, Mozilla has shifted to a weekly security update cadence, with Firefox 150.0.3 dropping on Patch Tuesday itself and resolving another handful of CVEs.

Oracle pushed out patches for over 450 vulnerabilities in its most recent quarterly update, more than 300 of which were remotely exploitable without authentication. The company has since announced it's ditching the quarterly schedule entirely in favour of monthly updates for critical issues.

Google's Chrome update on May 8 fixed 127 security flaws, up from 30 the previous month. Chrome handles updates automatically in the background, but they only take effect after a full browser restart, which a surprising number of people never do.

The broader picture here isn't just a busy month for patch management teams. It's a structural shift in how vulnerabilities get discovered. AI tooling is accelerating the rate at which bugs surface, which means the industry has to patch faster or accept a growing backlog of known, fixable weaknesses sitting in production. The optimistic read is that these bugs are being found by researchers before attackers find them. The pessimistic read is that the same tools are available to people with less wholesome intentions.

As always, back up before you patch, and if anything breaks during updates, the comments are open.