Microsoft is poised to set a new record for yearly patching by having released patches for over 130 vulnerabilities as part of its May Patch Tuesday release, pushing Microsoft’s total number of patched vulnerabilities to over 500 in just five months in 2026. Researchers at Microsoft and other organizations said that AI-enabled vulnerability discovery systems have greatly accelerated and amplified the process of discovering security flaws.
There were about 137 to 138 security updates issued by Microsoft addressing 30 critical vulnerabilities, as well as various other vulnerabilities including those that could allow remote code execution and privileges elevation on Azure DevOps, DNS, Netlogon, Office, and Windows networking systems. Although Microsoft claimed that there were no active attacks when they released their updates, security specialists have warned that the updates may overload IT departments.
Microsoft also said that certain security flaws had been found via its own AI-based “MDASH” multilayered model analysis system, which indicates an increasing trend towards automating vulnerability analysis across industries. It was mentioned that the use of artificial intelligence for identifying security weaknesses is predicted to sharply increase CVE counts in the coming years.
Both sides of the equation have changed
Rajeev Raghunarayan, Head of GTM, at Averlon, said: “AI-accelerated vulnerability discovery changes both sides of the equation. The same capability that helps vendors find vulnerabilities faster helps attackers reverse-engineer patches faster. More CVEs per month means more simultaneous targets for weaponization, and the window between patch release and working exploit keeps compressing.”
He added that the deeper problem is what this does to prioritization frameworks. “KEV, EPSS, the Exploitability Index: these were all calibrated for a world where the volume was manageable. They give you population-level probability estimates. Translating those into action for your specific environment, understanding what’s actually reachable, what connects to critical systems, what an attacker could chain, has always required human judgment at the last mile.”
“When you extrapolate a single vendor producing 500 vulnerabilities in five months to the full software ecosystem, the math with traditional approaches to vulnerability management becomes impossible. AI accelerating discovery without AI accelerating organization-specific triage and remediation doesn’t close the gap. It widens it,” Raghunarayan added.
A wild west era
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, at Suzu Labs, commented: “Microsoft’s MDASH system found 16 vulnerabilities in this month’s Patch Tuesday release, including four critical flaws no human researcher identified first, in Windows networking and authentication code that has been reviewed for decades.”
He added that the same pattern played out in the Linux kernel over the past two weeks with Copy Fail and Dirty Frag, where AI assisted tooling surfaced privilege escalation paths dormant for nearly a decade. “Vulnerability research is in a wild west era and zero-day discovery is becoming commoditized. The bugs were already there. The tooling to find them efficiently has changed.”
Krell said the offensive side is not waiting. “Google confirmed the first known AI developed zero-day exploit the same week, and Mandiant’s M-Trends 2026 report puts mean time to exploit at negative seven days, meaning exploitation is routinely outpacing disclosure. Organizations still anchored to point in time testing and static detection are investing in the wrong phase of the problem. The focus needs to shift toward continuous exposure management, threat hunting, and blast radius reduction, because the operating assumption going forward is that an attacker will have a zero-day on hand.
“Microsoft is investing in finding bugs faster, but the ecosystem around that investment is fraying. Three Defender zero days were publicly leaked and actively exploited in April after a researcher alleged MSRC mishandled their disclosure. HackerOne paused its open source bug bounty program citing a worsening imbalance between discovery volume and remediation capacity. Discovery speed without remediation speed creates exposure, not defense.”
The triage paradox
John Carberry, Solution Sleuth, at Xcape, Inc, said: “The May 2026 Patch Tuesday is a milestone in the transition to “AI-speed” security. With 138 vulnerabilities patched this month – the second-largest volume in history – and over 500 CVEs addressed since January, Microsoft is on pace to shatter the 2020 record of 1,245 annual patches. The deployment of the internal “MDASH” system signals that the bottleneck is no longer flaw discovery, but organizational remediation. While this month marks a rare break in the 22-month zero-day streak, the critical RCEs in foundational components like Netlogon, DNS Client, and Azure DevOps suggest that AI is successfully excavating high-impact, historical debt that human-led audits missed for decades.”
Carberry offers several critical takeaways:
- The Triage Paradox: AI-accelerated discovery is creating a “denial of service” for traditional patch management. Organizations must move beyond manual vetting toward automated, risk-based prioritization to survive a permanent 100+ CVE-per-month baseline.
- Prioritize the “Unauthenticated” Stack: The MDASH-discovered flaws in tcpip.sys and the Netlogon RCE (CVE-2026-41089) require immediate attention. These are zero-interaction, network-level vulnerabilities that are prime targets for automated exploit development by state-sponsored actors.
- Isolation is the Only Buffer: The discovery of four critical Word RCEs (triggered via the Preview Pane) underscores that document-handling remains a massive endpoint risk. Enforcing “Protected View” and isolating high-risk user groups on Microsoft Baseline Security Mode (BSM) is necessary to mitigate the speed at which AI-found bugs are weaponized.
“We’ve officially reached the “Ouroboros” phase of cybersecurity, where Microsoft’s AI finds flaws faster than its customers can patch them, effectively turning your IT department into a high-stakes unpaid intern for a machine.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.