AI Tools Uncover Record Security Flaws in May 2026 Patch Tuesday Updates

AI’s Dual Role in Cybersecurity: Vulnerability Hunter and Potential Target

Artificial intelligence platforms are proving to be double-edged swords in cybersecurity. While they remain vulnerable to social engineering attacks like humans, AI systems are exceptionally effective at identifying security flaws in human-developed code. This duality is evident in the May 2026 Patch Tuesday updates, where major software vendors—including Apple, Google, Microsoft, Mozilla, and Oracle—are addressing near-record volumes of security vulnerabilities and accelerating their patch release schedules.

Microsoft’s May 2026 Patch Tuesday: 118 Vulnerabilities Fixed, No Zero-Days

As part of its monthly Patch Tuesday cycle, Microsoft released updates on May 13, 2026, to address 118 security vulnerabilities across its Windows operating systems and other products. This release stands out for two key reasons:

• It is the first Patch Tuesday in nearly two years without any emergency fixes for zero-day vulnerabilities already under active exploitation.
• None of the vulnerabilities patched this month were previously disclosed, reducing the risk of attackers gaining early knowledge of potential exploits.

Critical Vulnerabilities in Microsoft’s May Update

Sixteen of the vulnerabilities were labeled as “critical”, meaning they could allow malware or attackers to remotely seize control of a vulnerable Windows device with minimal or no user interaction. Rapid7 identified several of the most concerning critical flaws, including:

• CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon that grants an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and the attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
• CVE-2026-41096: A critical remote code execution (RCE) vulnerability in the Windows DNS client implementation. While Microsoft assesses exploitation as less likely, it warrants attention.
• CVE-2026-41103: A critical elevation of privilege vulnerability that enables an unauthorized attacker to impersonate an existing user by presenting forged credentials, bypassing Entra ID. Microsoft expects exploitation is more likely.

AI-Driven Vulnerability Detection Accelerates Patch Cycles

Microsoft was among dozens of tech giants granted access to “Project Glasswing”, an AI-powered tool developed by Anthropic. The tool has demonstrated remarkable effectiveness in uncovering security vulnerabilities in code, prompting software vendors to expedite their patching processes.

Apple, another early participant in Project Glasswing, typically addresses an average of 20 vulnerabilities per iOS security update. However, the May 11, 2026, release of iOS 15 addressed 52 vulnerabilities, with fixes backported to devices as old as the iPhone 6s running iOS 15.

Mozilla also saw a significant impact from Project Glasswing. In April 2026, the organization released Firefox 150, which resolved 271 vulnerabilities discovered during the Glasswing evaluation. Chris Goettl, vice president of product management at Ivanti, noted that Firefox has since adopted a more aggressive weekly security update cadence. This includes the release of Firefox 150.0.3 on May Patch Tuesday, which resolved between three to five CVEs in each update.

Oracle has similarly increased its patching pace in response to its collaboration with Project Glasswing. In its most recent quarterly patch update, Oracle addressed at least 450 flaws, including more than 50 critical vulnerabilities.

Contrast with April 2026: A Near-Record Month for Microsoft

May’s Patch Tuesday provides a stark contrast to April 2026, which saw Microsoft fix a near-record 167 security flaws. The accelerated detection and patching cycles, driven in part by AI tools like Project Glasswing, highlight the growing role of artificial intelligence in modern cybersecurity practices.

"Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for security updates including the release of Firefox 150.0.3 on May Patch Tuesday resolving between three to five CVEs in each release."