The gist: Anthropic’s AI project Glasswing enables manufacturers to systematically identify and fix multiple times the usual number of security vulnerabilities per update.
In May 2026, leading software vendors such as Microsoft, Apple, Google, and Oracle patch an unprecedented volume of security vulnerabilities—a direct effect of Anthropic’s Glasswing project, which effectively discovers weaknesses in code.
Microsoft released security updates for at least 118 vulnerabilities in Windows and other products on Patch Tuesday in May 2026. This is the first Patch Tuesday update in nearly two years that does not address already actively exploited zero-day flaws and contains no previously publicly known vulnerabilities. Sixteen of the vulnerabilities received the most critical rating: CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon that requires no user interaction and grants SYSTEM rights on domain controllers. CVE-2026-41096 affects the Windows DNS client implementation, and CVE-2026-41103 enables credential spoofing with Entra ID bypass.
The cause of the increased patching frequency is Anthropic’s Glasswing project, an AI capability for automated vulnerability detection in code. Apple, also an early participant, released updates on May 11 addressing at least 52 vulnerabilities, compared to an average of 20. Mozilla shipped Firefox 150 with 271 security vulnerabilities discovered during Glasswing testing and has since moved to weekly security releases with three to five CVE fixes per update. Google rolled out Chrome updates addressing 127 vulnerabilities (previous month: 30), and Oracle announced a shift to monthly patching cycles for critical security issues after its latest quarterly update addressed at least 450 flaws, including over 300 remotely exploitable without authentication.
For CISOs, this means: patching load is structurally increasing, and prioritizing by criticality alone is no longer sufficient—the volume demands automation in patch evaluation and expedited rollout management, especially as vendors move to aggressive weekly or monthly cadences. AI-powered vulnerability discovery surfaces more flaws than conventional methods had previously identified, but simultaneously intensifies compliance and operational challenges in timely remediation.
Source: krebsonsecurity.com · Published May 12, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.0.