Microsoft on Pace to Break Annual Vulnerability Record as AI-Driven Patch Wave Takes Hold
Microsoft's May 2026 Patch Tuesday addresses over 130 vulnerabilities, including two critical Netlogon and DNS flaws, as the company reveals its internal AI system MDASH discovered 16 of this month's bugs.
Microsoft on Tuesday issued patches for more than 130 security vulnerabilities, putting the company on pace to break its own annual record. Five months into 2026, Microsoft has already patched over 500 vulnerabilities, with April's release addressing 173 and May's following with more than 137. The surge is driven by AI-assisted vulnerability discovery, which Microsoft's security leadership says is fundamentally changing the scale and speed of finding flaws.
Among the highest-priority fixes are two critical remote code execution vulnerabilities. CVE-2026-41089 in Windows Netlogon (CVSS 9.8) can be triggered by a specially crafted network request to a Windows server acting as a domain controller, allowing an unauthenticated attacker to run code remotely. CVE-2026-41096 in the Windows DNS Client (CVSS 9.8) similarly enables unauthenticated remote code execution in certain configurations. A third critical flaw, CVE-2026-42898 (CVSS 9.9), affects on-premises Microsoft Dynamics 365 installations and allows an authorized attacker to execute code over a network.
Alongside the patch release, Microsoft publicly revealed a new AI system it has been using internally to hunt for security flaws. The system, codenamed MDASH, independently discovered 16 of the vulnerabilities patched this month, including four rated critical, without any human researcher identifying them first. To validate MDASH was validated through a retrospective recall test against five years of known flaws in two of Windows' most scrutinized internal components, achieving 96% recall in one and 100% in the other.
Tom Gallagher, vice president of engineering at Microsoft's Security Response Center, wrote in a blog post that "AI is changing the scale and speed of vulnerability discovery, which can raise operational demands and requires consistent, disciplined risk management at pace."
The broader industry is feeling the same pressure. Britain's National Cyber Security Centre warned last month that organizations should prepare for a surge of urgent software updates driven by AI-assisted vulnerability discovery. Apple, which was given early access to Anthropic's Project Glasswing AI capability, addressed 52 vulnerabilities in its most recent update. Oracle announced it is switching from a quarterly to a monthly patch cycle for critical issues. Google shipped 127 Chrome security fixes on the same day as Microsoft's release, up from 30 the previous month.
The trend extends beyond traditional software. Earlier this year, HackerOne paused its open source bug bounty program, citing a "worsening imbalance between vulnerability discoveries and the ability for open source maintainers to remediate them." On Monday, Google's Threat Intelligence Group reported what it described as the first known case of a threat actor using an AI-developed zero-day exploit in a planned mass exploitation campaign, which Google said it disrupted before the attack launched.
Gallagher emphasized that the increasing "pace and breadth of vulnerability discovery" across the software industry is unlikely to slow in the near term. "Organizations whose patching, exposure management, and identity practices have evolved with that pace will absorb this change more easily," more easily," he said. "Others may find that practices designed for a slower-moving landscape need a closer look."