This month’s Patch Tuesday is a little unusual. Microsoft fixed 118 vulnerabilities across its products — but for the first time in nearly two years, there are no emergency zero-days being actively exploited. No previously disclosed flaws either. That’s the good news.
The bad news? Sixteen of those bugs are rated “critical,” meaning they could let an attacker take remote control of a Windows device with little or no user interaction. Rapid7 flagged three in particular: CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that hands an attacker SYSTEM privileges on a domain controller; CVE-2026-41096, a critical RCE in the Windows DNS client; and CVE-2026-41103, an elevation of privilege bug that lets an attacker bypass Entra ID by forging credentials.
But the real story here isn’t Microsoft. It’s AI. A project called Glasswing — developed by Anthropic and given to a few dozen tech giants — is proving scarily effective at finding security vulnerabilities in code. Apple, another Glasswing participant, shipped updates fixing 52 vulnerabilities this month and backported them all the way to the iPhone 6s. Mozilla’s Firefox 150 reportedly fixed 271 vulnerabilities discovered during a Glasswing evaluation.
Oracle patched 450 flaws in its latest quarterly update, including over 300 remotely exploitable ones. Google’s Chrome update fixed 127 security bugs, up from just 30 the previous month. Both companies have accelerated their patch cycles after working with Glasswing.
The takeaway: AI is getting better at breaking software than humans are at securing it. Vendors are patching faster, but the volume of discovered vulnerabilities is surging. Keep your systems updated — and maybe back up before you hit that restart button.
