This month's Patch Tuesday saw major software vendors release critical security updates, with artificial intelligence playing an unprecedented role in discovering vulnerabilities. Microsoft, Apple, Google, Mozilla, and Oracle addressed a massive number of flaws, many uncovered by Anthropic's Project Glasswing AI. Below are the most significant updates in Q&A format, covering the key issues and patches.
1. What is Project Glasswing and how is it reshaping vulnerability discovery?
Project Glasswing is an artificial intelligence platform developed by Anthropic that has demonstrated remarkable effectiveness at identifying security flaws in human-written code. In May 2026, its impact became glaringly apparent: Mozilla's Firefox 150 patched 271 vulnerabilities largely discovered through Glasswing, while Apple and other tech giants also relied on the AI to find bugs before attackers could. The system works by analyzing code patterns and simulating exploitation paths, often uncovering subtle issues that traditional scanning misses. This AI-driven approach is accelerating patch cycles—Mozilla has moved to weekly security updates since Firefox 150—and forcing vendors to rethink their vulnerability management. While social engineering can still trick AI, its code-analysis capabilities are proving superior to many manual reviews.
2. How many vulnerabilities did Microsoft fix in May 2026 and what is the severity breakdown?
On May 12, 2026, Microsoft released patches for 118 security vulnerabilities across Windows and other products. Notably, this Patch Tuesday marked the first time in two years that Microsoft did not address any actively exploited zero-day flaws, nor were any bugs publicly disclosed prior to the release. Of the total, sixteen vulnerabilities were rated critical, meaning they could allow remote code execution without user interaction. The remaining flaws were classified as important. While the volume is lower than April's near-record 167, the lack of emergency zero-days provides a breathing room for IT teams. This may also reflect the positive influence of Project Glasswing, which helped Microsoft and other participants find and fix vulnerabilities preemptively.
3. What are the most critical vulnerabilities patched by Microsoft this month?
Rapid7 highlighted three particularly dangerous critical bugs that demand immediate attention:
- CVE-2026-41089 – A stack-based buffer overflow in Windows Netlogon that grants an attacker SYSTEM privileges on a domain controller. No privileges or user interaction needed, and attack complexity is low. Patches cover Windows Server 2012 and later.
- CVE-2026-41096 – A critical remote code execution (RCE) flaw in the Windows DNS client implementation. Though Microsoft rates exploitation as less likely, the potential for widespread impact makes this a priority.
- CVE-2026-41103 – An elevation of privilege vulnerability that allows an unauthorized attacker to impersonate users by presenting forged credentials, bypassing Entra ID. Microsoft expects exploitation to become more likely.
Administrators should prioritize these patches, especially on domain controllers and DNS servers. For deeper details, see our overview of AI's role in discovering similar bugs.
4. How did Apple’s security updates in May 2026 stand out?
Apple, also an early participant in Project Glasswing, shipped updates on May 11, 2026, addressing at least 52 vulnerabilities across its platforms. This is more than double the average of 20 bugs per iOS security update. Notably, Apple backported the fixes all the way back to the iPhone 6s and iOS 15, demonstrating a commitment to supporting older devices. The extra volume is attributed to findings from Project Glasswing, which helped Apple identify and patch flaws that might otherwise have gone unnoticed. The updates cover iOS, iPadOS, macOS, and Safari, with many bugs affecting WebKit and kernel components. Users are urged to install the updates promptly, as some vulnerabilities could lead to arbitrary code execution.
5. What record did Mozilla set with Firefox 150 and why?
Mozilla released Firefox 150 in April 2026, resolving a staggering 271 vulnerabilities—the highest number ever fixed in a single Firefox release. The vast majority of these bugs were discovered during the evaluation of Anthropic's Project Glasswing, which mozilla had early access to. This massive cleanup prompted Mozilla to shift from a roughly monthly security update cadence to an aggressive weekly schedule. The vulnerabilities ranged from memory safety issues to logic flaws, all of which could potentially be exploited. The quick turnaround shows how AI can accelerate the detection and patching lifecycle. For users, this means staying current with Firefox updates is more critical than ever to remain protected.
6. Why is May 2026 considered a “welcome respite” from April’s Patch Tuesday?
April 2026 saw Microsoft fix a near-record 167 security flaws, creating a heavy workload for IT administrators who had to prioritize and deploy patches quickly. In contrast, May's count of 118 bugs is significantly lower, and the absence of any emergency zero-day flaws reduces the urgency. This breather allows teams to catch up on earlier updates, test patches more thoroughly, and plan for future cycles. Moreover, the use of AI-powered vulnerability discovery like Project Glasswing means that many bugs are found and fixed before they are exploited, potentially reducing the number of emergency patches in the long run. While still a substantial number of fixes, the May release is more manageable and less stressful for security teams.
7. What does the success of AI in vulnerability discovery mean for future software security?
The remarkable results from Project Glasswing suggest that AI will play an increasingly central role in cybersecurity. In just a few months, it helped uncover hundreds of vulnerabilities that manual or conventional automated tools might have missed. This could lead to more proactive security, where flaws are found and patched before attackers can weaponize them. However, challenges remain: AI itself can be tricked by social engineering, and the volume of findings can overwhelm development teams. Vendors like Mozilla have responded with faster patch cadences, but this may strain smaller organizations. Ultimately, AI is a powerful ally, but human oversight and robust update management remain essential. The trend is clear: expect more, and faster, security patches in the coming years.