Microsoft’s May Patch Tuesday dropped today covering 118 security vulnerabilities across Windows and its other products. The number is notable, but the more interesting detail is what’s not in there: for the first time in nearly two years, none of the fixes address zero-day flaws that are already being actively exploited in the wild.
A Quieter Month
118 patches is still a big drop, but it’s a step down from April’s near-record 167 fixes. The bigger deal is that the absence of zero-days means IT teams can apply these updates on their own schedule without the pressure of known attacks already in circulation. That’s a meaningful change from the cadence of the past two years, where it felt like every Patch Tuesday came with at least one fire to put out immediately.
AI-Assisted Vulnerability Discovery
The high patch volume across the industry this month isn’t coincidence. Microsoft was among a group of tech companies given access to Project Glasswing, an AI capability developed by Anthropic that’s been effective at finding security vulnerabilities in code. Apple, Google, Mozilla, and Oracle were also part of the program, and all of them are shipping unusually large security updates this month. The pattern suggests AI tooling is getting good enough to surface bugs faster than humans alone could find them, which means more fixes, more often.
When to Update
With no active zero-days in the mix, there’s no urgent reason to drop everything and update today. That said, 118 patches is a large surface area and some of the fixes address critical elevation of privilege flaws, including one in Microsoft Entra ID that could let an attacker impersonate existing users. Standard advice applies: back up first, then update within the next week or two.
Windows Update will handle the rollout automatically for most users. Enterprise IT teams can find the full breakdown at the SANS Internet Storm Center’s monthly patch inventory.