Key Takeaways
Third-party updates are rapidly increasing to offset the increase in exposure findings. Oracle announced CSPUs to occur between quarterly CPUs to keep up with security issues.
Microsoft had a large release this month, but no Zero-day or publicly disclosed vulnerabilities, which gives you a rare opportunity to resolve the Microsoft updates according to your regular maintenance schedule.
Continuing the Patch Apocalypse this month we are already seeing some more aggressive shifts in updates from many vendors.
Oracle announced a new release cadence starting in May 2026 to address the acceleration of vulnerability detection introduced by Mythos and other AI security models. Monthly Critical Security Patch Update (CSPUs) will fill in the two-month gap between their quarterly Critical Patch Update (CPU).
Mozilla had been working with AI models prior to Mythos which led to 22 security-sensitive bugs being resolved in Firefox 148. They announced continued collaboration with Anthropic to apply an early version of Mythos to Firefox and released Firefox 150 resolving 271 vulnerabilities identified during the evaluation. Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for security updates including the release of Firefox 150.0.3 on May Patch Tuesday resolving between three to five CVEs in each release.
Apple is another early participant in Project Glasswing and has seen a recent spike in the number of exposures resolved. They typically average around 20 CVEs per iOS security update. For their most recent update on May 11, there is a spike of over 70 CVEs resolved. across the 11 Apple updates. While there are not actively exploited vulnerabilities, there are a lot of updates to manage.
Microsoft resolved 118 CVEs in the May 12, 2026 Patch Tuesday update. There are no exploited or publicly disclosed vulnerabilities this month, but the updates resolve 16 Critical CVEs, 105 Important, 5 Moderate, and 1 Low. Office is likely the higher risk this month with four Critical RCE vulnerabilities resolved in this update, but the OS, as usual, has a lot of CVEs being resolved.
Third-party vulnerabilities (Leading up to and including Patch Tuesday)
Adobe resolved 52 CVEs in their Patch Tuesday update that included 10 bulletins. Adobe Commerce is the clear priority — it's the only Priority Two update this month, with 10 Critical CVEs including two at CVSS 8.7, and several DoS vulnerabilities that require no admin privileges to exploit.
Apple released updates for their platforms on May 11 resolving between 25 and 52 CVEs across all platforms. The release did not include any exploited or publicly disclosed vulnerabilities, but is notably larger than average.
Google released Chrome 148 on May 5 resolving 127 CVEs including three Critical ratings. Google has been on a weekly cadence for Chrome updates for a while now, but the May 5 update is far larger than average for Chrome (possibly the largest CVE count resolved in a single update). Another Chrome release is expected on or shortly after Patch Tuesday.
Mozilla has been on a steady weekly release scheduled for Firefox since the release of Firefox 150. Mozilla made some headlines with the 271 CVEs resolved in Firefox 150.0.0 and has been averaging three to five CVEs resolved each week since. The release of Firefox 150.0.3 on Patch Tuesday is the latest release, which resolved five CVEs all with a High rating.
Ivanti security advisories
Ivanti has released four security updates for May Patch Tuesday. The updates affects Ivanti Secure Access Client, Ivanti Xtraction, Ivanti Virtual Traffic Manager, and Ivanti Endpoint Manager and resolves seven CVEs. More details and information about mitigations can be found in the May Security Advisory.
In addition, Ivanti released a Security Update for Ivanti Endpoint Manager Mobile (EPMM) on May 7 which resolved five CVEs including CVE-2025-6973. At the time of disclosure, Ivanti was aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. More details and information about mitigations can be found in the May 2026 EPMM Security Update Advisory.
May update to-do list
- Third-party update cadence is accelerating. Ensure you are prioritising more frequent update schedules for priority applications such as browsers, productivity apps, and telecommunications apps.
- Microsoft and Apple both released updates across pretty much every platform. No exploits, but there are a lot of vulnerabilities to remediate.
