Microsoft's MDASH AI found 16 critical Windows flaws before hackers could exploit them

Microsoft has a new AI system that hunts for Windows vulnerabilities, and it just proved its worth. The system, codenamed MDASH, found 16 security flaws in Windows before any attacker could get to them, including four critical remote code execution bugs that could have handed unauthenticated attackers a straight line into enterprise networks. All 16 were patched in the May 12 Patch Tuesday. Satya Nadella posted about it on X the next day.

MDASH stands for Multi-model Agentic Scanning Harness. Microsoft's Autonomous Code Security team built it, with several members coming from Team Atlanta, the group that won the $29.5 million DARPA AI Cyber Challenge. It does not work like a traditional scanner or a single AI model reviewing code. It runs more than 100 specialized agents across a mix of frontier and distilled models, each one assigned a specific job: some look for flaws, others challenge whether the finding is real, and a final stage tries to build inputs that prove the bug is actually exploitable. Only then does a human engineer see the result.

What it found

The 16 vulnerabilities are spread across the Windows TCP/IP stack, the IKEEXT IPsec service, and HTTP.sys, Netlogon, Windows DNS, and the Telnet client. Ten were kernel-mode. Most were reachable over the network without any credentials. Two of the four critical flaws stand out. CVE-2026-33827 lives in tcpip.sys and is triggered by crafted IPv4 packets. CVE-2026-33824 is a pre-authentication double-free in the IKEEXT service, reachable over UDP port 500 on machines running RRAS VPN, DirectAccess, or Always-On VPN. Both yield LocalSystem execution. Two more critical flaws in Netlogon and the Windows DNS Client each carried CVSS scores of 9.8.

Microsoft says these were not bugs that a standard scanner would surface. The tcpip.sys flaw required reasoning across three concurrent code paths, all freeing the same object. The IKEEXT issue spanned six source files. That kind of multi-file, multi-path analysis is exactly where single-model approaches fall apart.

How it measures up

MDASH scored 88.45% on CyberGym, a UC Berkeley benchmark built around 1,507 real-world vulnerability reproduction tasks. That put it at the top of the public leaderboard. Anthropic's Mythos Preview model scored 83.1%. OpenAI's GPT-5.5 scored 81.8%. In private testing against a Windows driver codebase called StorageDrive that had never been publicly released, MDASH found all 21 planted vulnerabilities with zero false positives. Against five years of confirmed MSRC cases in clfs.sys and tcpip.sys, it hit 96% and 100% recall.

The system is model-agnostic. Microsoft can swap the underlying models as newer ones arrive without rebuilding the pipeline. MDASH is currently in limited private preview with a small group of enterprise customers. Broader availability is expected in the months ahead. The announcement follows Anthropic's Project Glasswing and OpenAI's Daybreak initiative, both running similar programs behind narrow access gates. All three are racing to find exploitable flaws before attackers do, and the gap between AI-powered defense and AI-powered offense is narrowing fast.

The other side of that race is already underway. Notebookcheck covered Google's confirmation of the first known zero-day exploit developed by AI, used in a planned mass exploitation campaign targeting a 2FA bypass in a widely used web administration tool