Microsoft recently told customers it expects the number of vulnerabilities in monthly updates to continue rising, influenced by the growing use of AI tools. As a May post by the Microsoft Security Response Center put it: “As larger releases settle in as a norm, the way we deliver and decide on updates remains consistent. Patch Tuesday continues as our predictable rhythm for on-premises software,” Going forward, customers should brace themselves for more out-of-band updates, it added.
According to Nirwan Dogra, a Senior Software Engineer at Microsoft Security, May and June 2026 represent a new norm that will challenge traditional, slower test-and-deploy patching.
“The 200+ CVE count isn’t an anomaly. It’s the new baseline. AI-assisted vulnerability discovery (fuzzing, static analysis, variant hunting) is compressing the timeline between ‘a bug exists’ and ‘bug is found’ dramatically,” he said via email.
Ominously, according to Dogra, AI tools used were also resulting in more flaws being uncovered in components previous seen as too complex for manual audit such as hypervisor code and Kerberos. He recommended that organizations move towards risk-based vulnerability prioritization, automated patching pipelines, and a focus on the flaws that were likely to be exploited.
