Patch Tuesday, Might 2026 Version – Krebs on Safety

Synthetic intelligence platforms could also be simply as prone to social engineering as human beings, however they’re proving remarkably good at discovering safety vulnerabilities in human-made pc code. That actuality is on full show this month with a few of the extra widely-used software program makers — together with Apple, Google, Microsoft, Mozilla and Oracle — fixing close to file volumes of safety bugs, and/or quickening the tempo of their patch releases.

Because it does on the second Tuesday of each month, Microsoft in the present day launched software program updates to handle not less than 118 safety vulnerabilities in its varied Home windows working programs and different merchandise. Remarkably, that is the primary Patch Tuesday in practically two years that Microsoft isn’t delivery any fixes to take care of emergency zero-day flaws which can be already being exploited. Nor have any of the failings mounted in the present day been beforehand disclosed (probably giving attackers a heads up in find out how to exploit the weak spot).

Sixteen of the vulnerabilities earned Microsoft’s most-dire “crucial” label, which means malware or miscreants might abuse these bugs to grab distant management over a susceptible Home windows gadget with little or no assist from the consumer. Rapid7 has achieved a lot of the heavy lifting in figuring out a few of the extra regarding crucial weaknesses this month, together with:

• CVE-2026-41089: A crucial stack-based buffer overflow in Home windows Netlogon that gives an attacker SYSTEM privileges on the area controller. No privileges or consumer interplay are required, and assault complexity is low. Patches can be found for all variations of Home windows Server from 2012 onwards.
• CVE-2026-41096: A crucial RCE within the Home windows DNS consumer implementation worthy of consideration regardless of Microsoft assessing exploitation as much less possible.
• CVE-2026-41103: A crucial elevation of privilege vulnerability that enables an unauthorized attacker to impersonate an current consumer by presenting solid credentials, thus bypassing Entra ID. Microsoft expects that exploitation is extra possible.

Might’s Patch Tuesday is a welcome respite from April, which noticed Microsoft fix a near-record 167 security flaws. Microsoft was amongst a couple of dozen tech giants given entry to a “Venture Glasswing,” a much-hyped AI functionality developed by Anthropic that seems fairly efficient at unearthing safety vulnerabilities in code.

Apple, one other early participant in Venture Glasswing, usually fixes a median of 20 vulnerabilities every time it ships a safety replace for iOS units, mentioned Chris Goettl, vice chairman of product administration at Ivanti. On Might 11, Apple shipped iOS 15, which addressed not less than 52 vulnerabilities and backported the adjustments all the way in which to iPhone 6s and iOS 15.

Final month, Mozilla launched Firefox 150, which resolved a whopping 271 vulnerabilities that had been reportedly found throughout the Glasswing analysis.

“Since Firefox 150.0.0 launched, they’ve been on a extra aggressive weekly cadence for safety updates together with the discharge of Firefox 150.0.3 on Might Patch Tuesday resolving between three to 5 CVEs in every launch,” Goettl mentioned.

The software program big Oracle likewise lately elevated its patch tempo in response to their work with Glasswing. In its most up-to-date quarterly patch replace, Oracle addressed not less than 450 flaws, together with more than 300 fixes for remotely exploitable, unauthenticated flaws. However on the finish of April, Oracle introduced it was switching to a month-to-month replace cycle for crucial safety points.

On Might 8, Google began rolling out updates to its Chrome browser that fixed an astonishing 127 security flaws (up from simply 30 the earlier month). Chrome automagically downloads accessible safety updates, however putting in them requires absolutely restarting the browser.

Should you encounter any weirdness making use of the updates from Microsoft or another vendor talked about right here, be at liberty to pontificate within the feedback under. Meantime, in the event you haven’t backed up your knowledge and/or drive recently, doing that earlier than updating is usually sound recommendation. For a extra granular have a look at the Microsoft updates launched in the present day, checkout this inventory by the SANS Web Storm Heart.