May 2026 stands out as a significant month for third‑party vulnerability activity, with a sharp increase in newly disclosed issues across commonly used applications. According to the latest data, 645 unique vulnerabilities were identified during the month, marking a clear spike compared to previous months. At the same time, 124 new patches were released, while 80 applications were confirmed to be affected.
The spike in browser-related vulnerabilities in May is primarily driven by large, coordinated security releases from Chromium-based browsers rather than any single new external factor. Multiple versions of Google Chrome, Microsoft Edge, Brave, and Vivaldi each remediated more than 120 vulnerabilities per release, with some versions addressing as many as 151 vulnerabilities at once. These high counts are a direct result of how Chromium vendors bundle fixes: A single upstream disclosure cycle is propagated across multiple browser variants and release channels, often leading to several high-volume patch releases within the same month. Mozilla products also contributed to the totals, although with smaller per-release volumes.
Notable vulnerabilities in May third-party patches
May included several vulnerabilities that stand out due to confirmed exploit availability, and in some cases, elevated Exploit Prediction Scoring System (EPSS) values. These vulnerabilities require prioritization, as the presence of exploit code significantly reduces the time available for safe remediation.
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem. The flaw allows an unprivileged user to corrupt page cache memory and escalate privileges to root. This vulnerability is reflected in the Application Workspace catalog through Docker Desktop, where Linux kernel components are embedded as part of the virtualization environment used for containers. The vulnerability has drawn significant attention due to the availability of a public exploit and confirmed in‑the‑wild activity, leading to its inclusion in CISA’s Known Exploited Vulnerabilities catalog. In practice, this makes it particularly relevant for containerized and cloud‑native environments, where local privilege escalation can be used to break isolation boundaries and enable lateral movement. More detailed information is available in the Microsoft Security Research blog and the NVD entry.
CVE-2026-43500 is part of the “Dirty Frag” vulnerability set affecting the Linux kernel networking stack, specifically the RxRPC component. In the Application Workspace catalog, this vulnerability is visible through its impact on Rancher Desktop, which relies on a Linux kernel for running Kubernetes and container workloads. The vulnerability arises from improper handling of packet fragments, leading to kernel memory corruption that can be leveraged for privilege escalation. It is particularly notable due to a publicly available exploit and an elevated EPSS score of approximately 0.40, indicating a meaningful likelihood of exploitation in real environments. In attack scenarios, this vulnerability is most commonly used after initial compromise to escalate privileges and gain full system control. More information can be found in Red Hat’s advisory and the Microsoft blog “Active attack: Dirty Frag Linux vulnerability expands post-compromise risk.”
Closely related, CVE-2026-43284 affects the ESP (IPsec) implementation in the Linux kernel and is also observed in Rancher Desktop within the dataset. The vulnerability allows in‑place decryption of packet data backed by shared memory, which can lead to memory corruption and ultimately privilege escalation. Like CVE-2026-43500, it has public exploit code available and an elevated EPSS score of approximately 0.38. These vulnerabilities are often chained together, enabling attackers to reliably escalate from a low‑privileged context to full system control. Their combined effectiveness makes them particularly relevant in environments where attackers already have some level of access. Additional details are available in Red Hat and Tenable advisories.
CVE-2026-46522 affects ImageMagick, a widely used image processing library that appears directly in the Application Workspace catalog. The vulnerability is caused by a missing validation check in the MIFF decoder, which allows a specially crafted image file to trigger an infinite loop and cause CPU exhaustion. This results in a denial-of-service condition that can significantly impact backend systems and processing pipelines. The vulnerability is notable due to the availability of a working public exploit and the low complexity required to trigger it. Given the widespread use of ImageMagick in web services and automation workflows, the potential impact is broad, particularly in environments processing untrusted image content. More information is available in the upstream advisory and exploit references.
Finally, CVE-2025-6965 is a critical vulnerability in the SQLite database engine, which allows memory corruption when malformed queries exceed expected limits. This vulnerability was published on July 15, 2025. It was originally discovered by Google’s Big Sleep. Within the Application Workspace catalog, this vulnerability is surfaced through Microsoft Visual Studio, where SQLite is included as a bundled component. This illustrates how vulnerabilities in widely reused libraries can propagate into higher‑level applications without being immediately visible. The vulnerability is notable because exploit techniques are publicly available and because exposure often arises indirectly through dependencies rather than direct installations. As SQLite is embedded in a wide range of applications and operating systems, the potential impact is broad and may affect environments that are not aware of their exposure. Further details are available from the NVD and changelog of Visual Studio.
Browser security updates in May 2026
Browser updates remained a significant contributor to overall vulnerability activity in May, continuing the pattern seen in earlier months. Chromium-based browsers and Mozilla products both released multiple updates, with several versions addressing large numbers of vulnerabilities within a single release cycle. This reflects the ongoing trend of vendors consolidating fixes into coordinated security updates rather than distributing them incrementally.
| Browser | Vulnerabilities | Updates |
| Google Chrome | 206 | 2 |
| Microsoft Edge | 302 | 4 |
| Brave Browser | 373 | 4 |
| Mozilla Firefox | 37 | 3 |
| Mozilla Firefox 115 | 23 | 2 |
| Mozilla Firefox 140 | 27 | 3 |
| Opera One | 30 | 1 |
| Vivaldi | 127 | 1 |
| Waterfox | 20 | 1 |
Microsoft product updates included in May 2026 third-party patches
Microsoft issued security updates for several other products:
- Microsoft .NET Runtime 10.0
- Microsoft .NET Runtime 8.0
- Microsoft .NET Runtime 9.0
- Microsoft .NET SDK 10.0
- Microsoft .NET SDK 8.0
- Microsoft .NET SDK 9.0
- Microsoft 365 Apps
- Microsoft ASP.NET Core Runtime 10.0
- Microsoft ASP.NET Core Runtime 8.0
- Microsoft ASP.NET Core Runtime 9.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 10.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 8.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 9.0
- Microsoft Azure CLI
- Microsoft Azure Kubelogin
- Microsoft Edge Beta
- Microsoft Edge for Business
- Microsoft Project
- Microsoft Visio
- Microsoft Visual Studio 2019 Community
- Microsoft Visual Studio 2019 Enterprise
- Microsoft Visual Studio 2019 Professional
- Microsoft Visual Studio 2022 Community
- Microsoft Visual Studio 2022 Enterprise
- Microsoft Visual Studio 2022 Professional
- Microsoft Visual Studio Code
- Microsoft Visual Studio Team Explorer 2019
- Microsoft Visual Studio Team Explorer 2022
- Microsoft Windows Desktop Runtime 10.0
- Microsoft Windows Desktop Runtime 8.0
- Microsoft Windows Desktop Runtime 9.0
Detailed list of May third-party patches
| Product Name | Version Name | Vulnerabilities remediated |
| Apache Tomcat 10 | 10.1.55 | 7 |
| Apache Tomcat 11 | 11.0.22 | 7 |
| Apache Tomcat 9 | 9.0.118 | 7 |
| Brave Browser | 1.90.128 | 151 |
| Brave Browser | 1.90.121 | 127 |
| Brave Browser | 1.90.122 | 79 |
| Brave Browser | 1.90.124 | 16 |
| Datadog Agent | 7.79.0 | 2 |
| Datadog Agent | 7.79.1 | 2 |
| Datadog Agent | 7.78.3 | 1 |
| Docker Desktop | 4.72.0 | 1 |
| Docker Desktop | 4.72.0.225998 | 1 |
| Electron | 42.0.0 | 13 |
| EnterpriseDB Corporation PostgreSQL 14 | 14.23.1 | 8 |
| EnterpriseDB Corporation PostgreSQL 15 | 15.18.1 | 8 |
| EnterpriseDB Corporation PostgreSQL 16 | 16.14.1 | 9 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.10.1 | 10 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.10 | 10 |
| EnterpriseDB Corporation PostgreSQL 18 | 18.4.1 | 11 |
| Erlang OTP | 29.0.1.0 | 3 |
| Erlang OTP | 28.5.0.1 | 3 |
| Github CLI | 2.93.0 | 1 |
| Google Chrome | 148.0.7778.217 | 151 |
| Google Chrome | 148.0.7778.97 | 127 |
| Google Chrome | 148.0.7778.96 | 127 |
| Google Chrome | 148.0.7778.167 | 79 |
| Google Chrome | 148.0.7778.168 | 79 |
| Google Chrome | 148.0.7778.178 | 16 |
| Google Chrome | 148.0.7778.179 | 16 |
| Google Chrome for Business | 148.0.7778.97 | 127 |
| Google Chrome for Business | 148.0.7778.168 | 79 |
| Google Chrome for Education | 148.0.7778.97 | 127 |
| Google Chrome for Education | 148.0.7778.168 | 79 |
| Google Go Programming Language | 1.26.3 | 12 |
| Google Go Programming Language | 1.25.10 | 12 |
| Grafana k6 | 2.0.0 | 1 |
| ImageMagick | 7.1.2.23 | 10 |
| ImageMagick | 7.1.2.24 | 6 |
| Mendix Studio Pro 10 | 10.24.21.108016 | 10 |
| Microsoft .NET Runtime 10.0 | 10.0.8 | 4 |
| Microsoft .NET Runtime 8.0 | 8.0.27 | 4 |
| Microsoft .NET Runtime 8.0 | 8.0.27.36029 | 4 |
| Microsoft .NET Runtime 9.0 | 9.0.16 | 4 |
| Microsoft .NET SDK 10.0 | 10.0.300 | 4 |
| Microsoft .NET SDK 8.0 | 8.4.2126.23002 | 4 |
| Microsoft .NET SDK 8.0 | 8.0.421 | 4 |
| Microsoft .NET SDK 9.0 | 9.0.314 | 4 |
| Microsoft 365 Apps | 2604 (Build 16.0.19929.20164) | 15 |
| Microsoft 365 Apps | 2508 (Build 16.0.19127.20646) | 15 |
| Microsoft ASP.NET Core Runtime 10.0 | 10.0.8 | 4 |
| Microsoft ASP.NET Core Runtime 8.0 | 8.0.27.26230 | 4 |
| Microsoft ASP.NET Core Runtime 8.0 | 8.0.27 | 4 |
| Microsoft ASP.NET Core Runtime 9.0 | 9.0.16 | 4 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 10.0 | 10.0.8 | 4 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 8.0 | 8.0.27.26230 | 4 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 9.0 | 9.0.16 | 4 |
| Microsoft Azure CLI | 2.86.0 | 3 |
| Microsoft Azure Kubelogin | 0.2.18 | 1 |
| Microsoft Edge Beta | 148.0.3967.54 | 122 |
| Microsoft Edge for Business | 148.0.3967.54 | 121 |
| Microsoft Edge for Business | 148.0.3967.96 | 88 |
| Microsoft Edge for Business | 148.0.3967.96 | 85 |
| Microsoft Edge for Business | 148.0.3967.70 | 76 |
| Microsoft Edge for Business | 148.0.3967.96 | 75 |
| Microsoft Edge for Business | 148.0.3967.70 | 75 |
| Microsoft Edge for Business | 148.0.3967.83 | 16 |
| Microsoft Project | 2604 (Build 16.0.19929.20164) | 15 |
| Microsoft Visio | 2604 (Build 16.0.19929.20164) | 15 |
| Microsoft Visual Studio 2019 Community | 16.11.37301.9 | 1 |
| Microsoft Visual Studio 2019 Enterprise | 16.11.37301.9 | 2 |
| Microsoft Visual Studio 2019 Professional | 16.11.37301.9 | 2 |
| Microsoft Visual Studio 2022 Community | 17.14.37301.10 | 5 |
| Microsoft Visual Studio 2022 Enterprise | 17.12.37301.13 | 5 |
| Microsoft Visual Studio 2022 Enterprise | 17.14.37301.10 | 5 |
| Microsoft Visual Studio 2022 Professional | 17.12.37301.13 | 5 |
| Microsoft Visual Studio 2022 Professional | 17.14.37301.10 | 5 |
| Microsoft Visual Studio Code | 1.119.1 | 4 |
| Microsoft Visual Studio Team Explorer 2019 | 16.11.37301.9 | 1 |
| Microsoft Visual Studio Team Explorer 2022 | 17.14.37301.10 | 5 |
| Microsoft Windows Desktop Runtime 10.0 | 10.0.8 | 4 |
| Microsoft Windows Desktop Runtime 8.0 | 8.0.27.36030 | 4 |
| Microsoft Windows Desktop Runtime 9.0 | 9.0.16 | 4 |
| MongoDB Community Edition 5.0 | 5.0.33 | 1 |
| MongoDB Enterprise Edition 5.0 | 5.0.33 | 1 |
| Mozilla Firefox | 151.0 | 29 |
| Mozilla Firefox | 150.0.3 | 5 |
| Mozilla Firefox | 150.0.2 | 3 |
| Mozilla Firefox ESR 115 | 115.36.0 | 20 |
| Mozilla Firefox ESR 115 | 115.35.2 | 3 |
| Mozilla Firefox ESR 140 | 140.11.0 | 20 |
| Mozilla Firefox ESR 140 | 140.10.1 | 4 |
| Mozilla Firefox ESR 140 | 140.10.2 | 3 |
| Mozilla Thunderbird | 151.0 | 29 |
| Mozilla Thunderbird | 150.0.2 | 3 |
| Mozilla Thunderbird ESR 140 | 140.11.0 | 20 |
| Mozilla Thunderbird ESR 140 | 140.10.2 | 3 |
| nginx | 1.31.0 | 6 |
| nginx | 1.30.1 | 6 |
| nginx | 1.31.1 | 1 |
| nginx | 1.30.2 | 1 |
| Node.js | 26.0.0 | 1 |
| Notepad++ | 8.9.6.1 | 6 |
| Notepad++ | 8.9.6.2 | 6 |
| Notepad++ | 8.9.6 | 3 |
| OpenVPN Connect | 3.8.2 | 1 |
| Opera One | 131.0.5877.24 | 30 |
| PaperCut MF | 25.0.11.75756 | 1 |
| PaperCut NG | 25.0.11.75758 | 1 |
| pgAdmin 4 | 9.15 | 8 |
| Python 3.14 | 3.14.5 | 1 |
| Rancher Desktop | 1.22.3 | 3 |
| Splunk Enterprise | 10.0.6 | 1 |
| Splunk Enterprise | 10.2.3 | 1 |
| Splunk Enterprise 9.3 | 9.3.12 | 1 |
| Splunk Enterprise 9.4 | 9.4.11 | 1 |
| TeamCity | 2026.1.1 | 1 |
| TeamCity | 2026.1 | 1 |
| VisualSVN Server | 5.4.7 | 11 |
| Vivaldi | 7.9.3970.64 | 127 |
| VMware Fusion | 26.0.0 | 1 |
| Waterfox | 6.6.13 | 20 |
| Wireshark | 4.6.6 | 41 |
| Wireshark | 4.4.16 | 36 |
Application management at the speed of your operations
Vulnerabilities move fast, especially in a distributed workforce. Discover how Recast’s application management product, Application Workspace, helps IT teams keep applications patched, compliant, and correctly configured, wherever work happens.
