Patch windows shrinking

Software patch windows are shrinking as security teams race new flaws and artificial intelligence systems that can turn known bugs into working attacks faster. (unit42.paloaltonetworks.com) A software patch is a vendor’s fix for a bug, and the patch window is the time between disclosure and the moment defenders get systems updated. Palo Alto Networks’ Unit 42 said on April 20 that frontier AI models are accelerating that discovery-to-exploitation cycle for both zero-day flaws and “N-day” bugs that are public but not yet widely patched. (unit42.paloaltonetworks.com) Anthropic said on April 7 that its restricted-access Claude Mythos Preview can identify and exploit zero-day vulnerabilities in every major operating system and web browser it tested. Anthropic launched Project Glasswing with partners including Amazon Web Services, Apple, Cisco, Google, Microsoft and Palo Alto Networks, and said it had extended access to more than 40 additional organizations. (anthropic.com) (red.anthropic.com) The federal government is already triaging around active attacks, not just theoretical risk. The Cybersecurity and Infrastructure Security Agency added seven new vulnerabilities to its Known Exploited Vulnerabilities catalog on April 13, and its live catalog shows Apache ActiveMQ flaw CVE-2026-34197 was added April 16 with an April 30 remediation deadline for Federal Civilian Executive Branch agencies. (cisa.gov 1) (cisa.gov 2) CISA’s catalog is the government’s running list of bugs already exploited in the wild, and Binding Operational Directive 22-01 requires those federal agencies to fix listed flaws by the stated due date. CISA says other organizations should also use the catalog to prioritize patching. (cisa.gov 1) (cisa.gov 2) One April example came from Apache Tomcat’s native connector, which handles low-level web server and certificate work. Apache said CVE-2026-29145 let some client-certificate checks “soft-fail” even when that fallback was disabled, a condition that could let revoked certificates pass authentication in affected versions 1.3.0 through 1.3.6 and 2.0.0 through 2.0.13; fixes shipped in 1.3.7 and 2.0.14. (tomcat.apache.org) Apache ActiveMQ, a message broker used to move data between applications, picked up its own urgent fixes. Apache said CVE-2026-33227 affected versions before 5.19.3 and 6.0.0 before 6.2.2, exposed a classpath resource-loading weakness through a user-supplied key value, and was fully fixed for Windows and non-Windows users in 5.19.4 and 6.2.3. (activemq.apache.org) Apache also disclosed CVE-2026-39304, a denial-of-service bug in ActiveMQ’s NIO SSL transport for TLS 1.3 that could let a client trigger repeated KeyUpdates until the broker ran out of memory. Apache said affected users should move to 5.19.5 or 6.2.4. (activemq.apache.org) Apache Syncope, an identity and access management platform, published fixes for two “Important” flaws in versions 3.0 through 3.0.15 and 4.0 through 4.0.3. Apache said CVE-2026-23794 was a reflected cross-site scripting bug on the Enduser login page that could steal credentials if a user clicked a malicious link, and CVE-2026-23795 was an XML external entity issue in the console that could leak sensitive data; fixes landed in 3.0.16 and 4.0.4. (syncope.apache.org) (nvd.nist.gov) Unit 42 said frontier models are especially effective against open-source code because they can inspect source directly and trace complex exploit chains that static scanners or human reviewers may miss. Anthropic said more than 99% of the vulnerabilities its model found remain undisclosed while vendors patch them, which means defenders are being asked to move faster with less public detail. (unit42.paloaltonetworks.com) (red.anthropic.com) The old assumption that teams had weeks between disclosure and broad exploitation is giving way to deadlines measured in days. CISA’s April 30 due date for ActiveMQ is one concrete marker of that new tempo. (cisa.gov)