Six months of Patch Tuesday data tells a story that should concern every IT leader responsible for endpoint security. The numbers from December 2025 through May 2026 reveal an accelerating threat landscape, an expanding attack surface, and a sobering reality: Microsoft's own updates are increasingly a source of operational risk alongside the vulnerabilities they fix.
By the Numbers
Across the last six Patch Tuesday releases, Microsoft has patched approximately 610 vulnerabilities — an average of over 100 per month. The breakdown tells us where the pressure is building:
| Month | Total CVEs | Critical | Zero-Days (Exploited) | OOB Fix Required |
|---|---|---|---|---|
| December 2025 | 57 | 2 | 1 | No |
| January 2026 | 114 | 8 | 1 | Yes — RDP + Shutdown |
| February 2026 | 55 | 2 | 6 | No |
| March 2026 | 84 | 8 | 0 (2 disclosed) | No |
| April 2026 | 163 | 8 | 1 | Yes — DC restart loops |
| May 2026 | 137 | 31 | 0 | No |
Trend 1: Zero-Days Are the New Normal
Five of six months included at least one actively exploited vulnerability at the time of patch release. February's six simultaneous zero-days was the high-water mark, but the sustained pace — 9 exploited zero-days in the first half of 2026 — means organizations need to treat every Patch Tuesday as a potential emergency. Monthly patch cycles are too slow when attackers already have working exploits on release day.
Trend 2: The Updates Themselves Are Breaking Things
Two of six months required emergency out-of-band fixes for regressions introduced by the security updates. January broke Remote Desktop authentication and shutdown functionality. April broke domain controllers. These aren't edge cases — RDP and domain controllers are the most critical infrastructure in most enterprise environments.
The message is clear: deploying security updates without staged validation is its own risk. You need ring-based deployment, automated health signal verification, and rollback capabilities. "Patch everything immediately" is not a strategy when the patches themselves can cause outages.
Trend 3: AI Is Changing the Vulnerability Discovery Game
March's CVSS 9.8 flaw discovered by the XBOW AI agent and the Linux CopyFail vulnerability discovered by AI (present since 2017, found in weeks) signal a permanent shift. AI-driven vulnerability discovery will increase the volume and severity of findings. Defensive teams need to prepare for higher patch volumes, while simultaneously recognizing that the same AI capabilities are available to attackers for offensive research.
Trend 4: Elevation of Privilege Dominates
Across all six months, elevation of privilege vulnerabilities consistently accounted for 42-57% of all patches. This reflects the modern attack pattern: initial access through phishing or web exploitation (relatively easy), followed by privilege escalation to move laterally and access sensitive data (the hard part that EoP patches protect against). If you're prioritizing patches by type, EoP vulnerabilities in kernel drivers, DWM, and Active Directory components should be at the top of every list.
What This Means for Your Patch Strategy
The first half of 2026 makes the case for three capabilities that most organizations still lack:
Automated, ring-based deployment with validation gates. Not optional. Not aspirational. The January and April regressions proved that untested updates deployed at scale are an operational hazard. Deploy to a pilot ring, validate health signals (boot success, RDP authentication, event log baselines, service availability), and only promote to production rings when validation passes.
Real patch compliance visibility. "Deployed" is not "compliant." The gap between Intune reporting that an update was delivered and knowing whether it actually installed, didn't cause a regression, and is functioning correctly is where security posture lives. Four-state evaluation — pass, fail, not configured, not collected — gives you actual compliance, not aspirational compliance.
Cross-platform coverage. The Linux CopyFail vulnerability is a reminder that Windows-only patch management leaves half the attack surface unmonitored. macOS, Linux, and third-party applications (Chrome, Adobe, Zoom, and hundreds of others) need the same rigor as Windows updates.
The pace isn't slowing down. Build the infrastructure now, or spend every second Tuesday firefighting.