The company has reported that the MDASH framework, developed internally by Microsoft for agentic artificial intelligence, was instrumental in identifying 16 security vulnerabilities affecting core Windows networking and authentication components, including four critical vulnerabilities that can be exploited remotely.
According to the discovery, which was addressed during Patch Tuesday's security rollout of May 2026, autonomous AI systems are not limited to the generation of code in defensive cybersecurity engineering. In addition to analyzing complex software environments, tracing insecure logic paths, and identifying exploitable weaknesses before threats can weaponize them, these tools are increasingly being used to analyze complex software environments.
Microsoft's Autonomous Code Security team developed MDASH, which is currently being tested by a select number of customers in a private preview program. MDASH is now actively supporting internal security engineering operations and is part of the company's wider effort to integrate AI-driven vulnerability research into enterprise-scale software assurance and development processes.
The MDASH framework is at the core of this initiative. It is an internally developed framework that works independently of any single language model while coordinating specialized AI agents tailored to specific vulnerability classes, a framework that is uniquely engineered for this purpose. By utilizing a combination of frontier-scale and distilled AI models, the platform distributes tasks across more than 100 purpose-built agents instead of relying on a conventional one-model scanning architecture.
Using the system, Taesoo Kim, Microsoft's vice president of agentic security, enables the detection of end-to-end vulnerabilities by autonomously identifying suspicious code behavior, challenging each other's findings, and independently validating exploitability before escalated results that are confirmed.
MDASH is an analysis pipeline that consists of multiple stages.
After ingesting source code, MDASH constructs an internal threat model and maps the attack surface, and then dedicated agents conduct audits to identify possible vulnerabilities such as insecure logic, memory corruption, authentication vulnerabilities, and other exploitable conditions.
In addition to eliminating false positives, a secondary layer of "debater" agents also performs adversarial reasoning workflows to verify technical validity and eliminate false positives.
As a result of the correlation between semantically similar findings, consolidating overlapped detections, and providing proof-based validation, the framework is able to demonstrate that vulnerabilities can be exploited practically.
Using Microsoft's architecture, Microsoft says complex security analysis can be performed using state-of-the-art reasoning models, distilled models for large-scale validation tasks, and a high-capability, independent counteranalysis model.
Through layered reviews, Microsoft hopes to improve detection accuracy and reliability across enterprise-scale codebases including Windows.
In addition to the TCP/IP networking stack, IKEEXT IPsec, HTTP.sys, Netlogon, DNS resolution mechanisms, and the legacy Telnet client, MDASH uncovered a number of deeply embedded Windows components that were susceptible to remote attack surfaces. These vulnerabilities underscore how wide a range of attacks can be conducted on modern operating systems.
According to Microsoft, ten of the identified vulnerabilities affect kernel-mode components and six affect user-mode services. Under realistic deployment scenarios, most of these vulnerabilities are remotely accessible without authentication.
In total, four vulnerabilities were rated Critical, including CVE-2026-338277, an unauthenticated use-after-free issue in tcpip.sys, and CVE-2026-338248, a remotely exploitable double-free issue in the IKEv2 protocol over UDP port 500.
It is reported that MDASH demonstrated unusually high precision during validation exercises, in that all 21 intentionally seeded vulnerabilities were detected without generating false positives during internal testing.
It was further stated by Microsoft that the framework recalled 96 percent of the five years of confirmed cases of the Microsoft Security Response Center for CLFS.sys and covered tcpip.sys in full, as well as scoring 88.45 percent on the CyberGym benchmark containing 1,507 real-world vulnerabilities, which is the highest score in the industry.
The broader research initiative continues to be closely tied to Microsoft's offensive and defensive security engineering ecosystems.
Currently, the platform is deployed across Microsoft's engineering environments and is currently being evaluated by limited customers through a private preview program. A team led by Autonomous Code Security worked in collaboration with Windows Attack Research and Protection specialists who specialized in advanced offensive Windows research to spearhead development efforts.
A number of researchers involved in this project previously served as members of Team Atlanta, the team recognized for winning the DARPA AI Cyber Challenge using a system for discovering and patching vulnerabilities autonomously.
The company stated that the implementation of autonomous auditing at an enterprise level can pose unique operational difficulties due to the proprietary nature of the Windows codebase and the absence of public training datasets.
In addition, low-tolerance production environments prevent inaccurate detections from occurring.
These constraints can be addressed by MDASH by providing extensible plugins capable of injecting highly specialized contextual knowledge into the analysis pipeline. These include kernel calling conventions, synchronization rules, interprocess communication trust boundaries, and file-system structures that are not reliably inferred by general-purpose models.
A particular extension, developed for the Common Log File System (CLFS), generates triggering log artifacts from candidate findings automatically, allowing the framework to go beyond theoretical detection and provide proof-based vulnerability validation that engineering teams can use to remedy vulnerabilities directly.
Using CVE-2026-33827 as an example of advanced flaws that conventional single-model AI systems routinely fail to identify, Microsoft highlighted that vulnerability. In order to address this vulnerability, Microsoft implemented a strict source and record route processing process that improperly managed a reference-counted Path object during the Windows IPv4 receive path.
It is possible that the affected function reused the same pointer under alternate execution flow conditions after releasing its owned reference through a dereference operation, therefore causing a race-driven use-after-free scenario in kernel memory.
Due to the fact that the vulnerable code path processes attacker-controlled packet metadata and executes within an elevated networking context, a remote attacker could potentially exploit this flaw by sending specially crafted IPv4 packets containing SSRR options to their hosts.
A Microsoft representative explained that the problem became significantly more dangerous as a result of the concurrency behavior of multiple independent cleanup subsystems that were capable of reclaiming the object before further reuse.
According to the company, single-model artificial intelligence systems often fail to detect such vulnerabilities since ownership violations are not readily apparent locally and are instead dependent on correlating reference semantics, branching conditions, concurrency interactions, and analogous patterns spread across distinct code paths to determine the violation.
The MDASH system was reported to have successfully analyzed the behavior of objects during their lifetimes, compared implementation inconsistencies elsewhere in the codebase, and assembled a coherent exploitation chain by using staged reasoning and adversarial verification through specialized agents. During Patch Tuesday in April 2026, the flaw was addressed.
Furthermore, Microsoft disclosed CVE-2026-33824, a critical double-free vulnerability affecting IKEEXT, a key exchange service for IPsec authentication. Remotely accessible via UDP port 500, the vulnerability is capable of triggering against systems configured as IKEv2 responders, such as RRAS VPNs, DirectAccesss, Always-On VPNs, and hosts with IPsec security policies that govern inbound connections.
There was a vulnerability caused by an ownership handling error during fragment reassembly, which caused a packet receive context to be duplicated by using shallow memory copy operations.
A deterministic heap corruption condition was created within the LocalSystem svchost.exe process when teardown routines released the same memory region twice, resulting in reference to and assumption of ownership of the same heap allocation linked to a security realm identifier controlled by an attacker.
The vulnerability is particularly severe from a defensive perspective, as it only requires two crafted UDP packets without race conditions or precise timing requirements, making exploitation particularly easy. During analysis of the codebase, the company identified that the flaw extended across six separate source files, and that the vulnerability was triggered by subtle differences between ownership handling patterns that were incorrect and correctly implemented elsewhere.
Microsoft has stated that multiple file aliasing and lifecycle vulnerabilities are routinely evaded by conventional automated analysis because a single execution context does not expose the entire exploitation chain at once. MDASH's multi-agent debate and verification architecture is specifically credited for identifying those fragmented relationships and confirming the exploit path before publication.
The issue was also patched as part of April 2026 Patch Tuesday.
There is a notable shift in how large-scale software security auditing will evolve in enterprise environments with the emergence of MDASH. Modern operating systems are becoming increasingly complex and difficult to assess through traditional manual methods alone.
The Microsoft AI platform combines autonomous reasoning, adversarial validation, and exploit-focused analysis in a coordinated multi-agent framework, enabling AI to not merely serve as a productivity tool, but also to provide an operational security layer capable of detecting deeply buried vulnerabilities within critical infrastructure code.
A growing number of threat actors are leveraging automation in offensive campaigns, and the company’s latest findings suggest that defensive research may become increasingly dependent on AI-driven systems capable of identifying exploitable weaknesses before they become operational.
