Microsoft on pace to break annual vulnerability record as AI-driven patch wave takes hold
Five months into 2026, Microsoft has already patched more than 500 vulnerabilities — although the exact monthly count varies depending on whether analysts include Edge, Chromium and fixes shipped earlier in the month.
Microsoft on Tuesday issued patches for more than 130 security vulnerabilities, putting it on pace to break its own annual record, with the company's security leadership acknowledging that AI tools are driving a surge in vulnerability discovery across the industry.
Five months into 2026, Microsoft has already patched more than 500 vulnerabilities — although the exact monthly count varies depending on whether analysts include Edge, Chromium and fixes shipped earlier in the month.
April's release addressed 173 vulnerabilities according to Microsoft's Security Update Guide, while May's release followed with more than 137. Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, said in a blog post the company expects releases to continue trending larger.
Source: https://therecord.media/microsoft-on-pace-to-break-annual-vulnerability-record-ai
Related breach coverage
- Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming2026-05-13
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more. Microsoft’s May 2026 Patch Tuesday patched 138 vulnerabilities in a single release. That is a number that gives pause even for people accustomed to these cycles. The affected products span virtually the entire Microsoft […]
- Pwn2Own Berlin 2026, Day Two: $385,750 more, Microsoft Exchange falls, and the running total crosses $900K2026-05-15
Day two of Pwn2Own Berlin 2026 saw $385,750 earned for 15 zero-days, bringing the total to $908,750 and 39 vulnerabilities over two days. During the second day of Pwn2Own Berlin 2026, security researchers earned $385,750 after successfully demonstrating 15 unique zero-day vulnerabilities affecting products such as Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux […]
- Experts warn of active exploitation of critical NGINX flaw CVE-2026-429452026-05-18
A critical NGINX flaw (CVE-2026-42945) is actively exploited, allowing crashes or possible code execution via malicious HTTP requests. A critical vulnerability in NGINX Plus and NGINX Open, tracked as CVE-2026-42945 (CVSS v4 score of 9.2), is already being actively exploited shortly after disclosure. “We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer […]
- U.S. CISA adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog2026-05-16
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Exchange Server, tracked as CVE-2026-42897 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog. This week, Microsoft warned that threat actors are […]