May 2026 Patch Tuesday forecast: AI starts driving security industry changes

Microsoft May 2026 Patch Tuesday is now live: Many fixes, but no zero-days

Project Glasswing. This is one of three major security industry changes I’ll cover today. The Anthropic Mythos vulnerability discovery model has already proven to be game changing in its ability to identify new vulnerabilities in software. Many of these vulnerabilities have existed for 10 to 15 years without human discovery. In a recent announcement from Mozilla, they discovered 271 vulnerabilities when running it against Firefox 150 prior to release. This sheer volume of new vulnerabilities is driving change.

May 2026 Patch Tuesday forecast

NIST moves to threat-based CVE analysis

In an unprecedented agreement known as Project Glasswing, 12 companies agreed to work with Anthropic on a preview version of this new technology. These include Apple, Amazon, Cisco, Microsoft, and others who would normally be competing for this technology. The goal is to finally get ahead of the zero-day releases and minimize the risk from attacks. In another major shift, NIST announced it was changing its vulnerability analysis efforts to a risk or threat-based approach.

All CVEs will continue to be added to the National Vulnerability Database (NVD), but it would prioritize its ‘enrichment’ process on those vulnerabilities known to be exploited or associated with software used in the federal government or software identified as critical. Per the announcement they enriched over 42,000 CVEs in 2025 and cannot keep that pace with all CVEs now being reported. And finally, my third change, the increase in frequency of patch releases to keep up with this flood of vulnerabilities.

A prime example here is the announcement from Oracle that their Critical Patch Updates (CPUs) would be expanded from quarterly to monthly releases, with previously skipped months to now include additional security updates as needed. As AI ramps up, many aspects of patch management will continue to change and evolve in response.

OOB updates fix critical ASP.NET core vulnerability

Microsoft provided two important out-of-band (OOB) patches this month. The first was soon after the April Patch Tuesdays updates and impacted all the currently supported server versions from 2016 through 2025. The April security update KB5082063 was failing on Windows Server 2025 in many reported cases and any server version which was acting as a domain controller could possibly go into a restart loop with their respective April updates.

On April 19th, Microsoft issued a series of OOB patches to address these issues. Two days later on April 21st, Microsoft issued an OOB update for .NET 10.0.7. This resolved CVE-2026-40372, an Escalation of Privilege vulnerability with a CVSS of 9.1 and rated Critical. This vulnerability was found in the ASP.NET core data protection cryptographic APIs and could allow a user to gain System privilege. Both of these OOB fixes will be rolled into the next Patch Tuesday update.

Microsoft simplifies Windows Insider Program

Microsoft announced a major change to their Windows Insider Program this month. Per the explanation in the blog, the feedback they were getting from community members was that the channel structure and the feature delivery were confusing. With that in mind, they simplified it to two channels, Experimental and Beta. The Experimental channel is just that, cutting edge features in development which may or may not make a release. They welcome feedback but there is no guarantee they may even make a release.

The Beta channel is what you would expect by the name, these releases contain features in near final form which will be included in the next release. Feedback here will help fine tune them for general use. You will be able to move between the channels more easily without having to make completely new installs of your base OS. Community members can expect to be migrated to the appropriate new channels soon.

CopyFail exposes Linux systems to privilege escalation

There are a few hot vulnerabilities getting some extended press that you need to be aware of going into next week’s Patch Tuesday. The first is CVE-2026-33825 which is associated with the Bluehammer exploit. This exploit had a zero-day fix for Microsoft Defender in the April Patch Tuesday release, but since then two additional exploits from the same attacker called RedSun and UnDefend have yet to be addressed. Keep an eye out for a fix this month.

And finally, Linux vulnerability CVE-2026-31431, also called CopyFail, is an AI-discovered elevation of privilege vulnerability, which has been present since 2017. A simple proof of concept (PoC) exploit allowed a standard user to obtain root privileges. Patches for the major Linux distributions were released within a week near the beginning of April, so make sure you are updated and protected against attacks targeting this critical vulnerability.