Patch Tuesday, May 2026 Edition: Microsoft Fixes 118 Flaws, No Zero-Days for First Time in Two Years
Microsoft's May 2026 Patch Tuesday addresses 118 vulnerabilities, including 16 critical flaws, with no zero-days fixed for the first time in nearly two years.
Microsoft's May 2026 Patch Tuesday addresses 118 vulnerabilities, including 16 critical flaws, with no zero-days fixed for the first time in nearly two years. This marks a significant shift from recent months, which saw near-record numbers of security patches and active exploitation of zero-day vulnerabilities. The absence of emergency fixes suggests that Microsoft's increased focus on proactive security measures, including AI-assisted vulnerability discovery, may be paying off.
Among the most critical vulnerabilities patched this month is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that allows an attacker to gain SYSTEM privileges on domain controllers without any user interaction or prior authentication. This flaw affects all versions of Windows Server from 2012 onwards and has been assessed as highly likely to be exploited. Another notable fix is CVE-2026-41103, an elevation of privilege vulnerability in Entra ID that enables an unauthorized attacker to impersonate existing users by presenting forged credentials, bypassing authentication entirely.
The May updates also include CVE-2026-41096, a critical remote code execution vulnerability in the Windows DNS client implementation. While Microsoft rates exploitation as less likely, the severity of the flaw warrants immediate patching. In total, 16 vulnerabilities received Microsoft's most severe 'critical' rating, meaning they could be exploited remotely with minimal user interaction.
This month's Patch Tuesday comes on the heels of a record-breaking April, during which Microsoft fixed 167 security flaws. The reduction in volume may be partly attributed to the company's participation in 'Project Glasswing,' an AI-powered vulnerability discovery initiative developed by Anthropic. Microsoft was among a select group of tech giants granted access to this capability, which has proven highly effective at identifying security bugs in code.
Other major software vendors also shipped substantial updates this month. Apple released iOS 15 on May 11, addressing 52 vulnerabilities and backporting fixes to devices as old as the iPhone 6s. Mozilla's Firefox 150 resolved 271 bugs, many discovered during the Glasswing evaluation, and the company has since adopted a more aggressive weekly patch cadence. Google Chrome patched 127 flaws in its May 8 update, a dramatic increase from the 30 fixes in the previous month.
Oracle, another Glasswing participant, has also accelerated its patch cycle. In its most recent quarterly update, Oracle addressed over 450 flaws, including more than 300 remotely exploitable, unauthenticated vulnerabilities. The company announced it would shift to a monthly update cycle for critical security issues starting in May.
While the absence of zero-day fixes is a positive development, security experts caution that attackers may have already developed exploits for some of the patched vulnerabilities. Users and administrators are urged to apply the latest updates promptly and ensure that backup systems are in place before installing patches. For a detailed breakdown of the Microsoft updates, the SANS Internet Storm Center has published an inventory of the fixes.