Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components

The two Semantic Kernel CVEs are the highest-signal new CVE pair of the week even without confirmed in-the-wild exploitation: both flaws stem from a shared design weakness that an agent framework treats LLM-controlled values as input to executable abstractions without explicit validation at the boundary. The Python SDK flaw (CVE-2026-26030, CWE-94) interpolates an LLM-controlled parameter into the InMemoryVectorStore filter expression via f-string composition; a string-blocklist validator is bypassed by the canonical "".__class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, yielding subprocess.Popen-equivalent execution on the agent process's host. A public PoC exists in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post. The .NET SDK flaw (CVE-2026-25592, CWE-22 effectively a sandbox-escape) ships a stray [KernelFunction] attribute on SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync; the LLM can therefore invoke those methods with attacker-chosen path arguments, yielding an arbitrary file write that breaks containment from the Azure Container Apps Python sessions sandbox onto the agent process's host filesystem (Microsoft Security Blog, 2026-05-07 · GitHub GHSA-xjw9-4gw8-4rqx · GitHub GHSA-2ww3-72rp-wpp4 · daily 2026-05-10 deep dive).

Both flaws bypass prompt-side mitigations (output filtering, response classifiers, "let the LLM judge") because the dangerous operation occurs inside the SDK. The same class of bug is highly likely to exist in LangChain, CrewAI, AutoGen, Haystack, and LlamaIndex; defenders should not assume Semantic Kernel is uniquely affected. Patch path: Python SDK ≥ 1.39.4, .NET SDK ≥ 1.71.0; audit every [KernelFunction]-decorated method for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs, and remove the decorator from anything that does not need to be LLM-callable. ATT&CK: T1059.006 Python, T1611 Escape to Host, T1565.001, T1005 Data from Local System.

Microsoft shipped roughly 120 CVE fixes in the May 2026 cumulative updates (source counts vary 118–138 depending on whether developer-tools and Azure-only items are included); ZDI counts ~30 Critical, none under active exploitation at release (Tenable, 2026-05-12; Krebs on Security, 2026-05-12; ZDI, 2026-05-12). CVE-2026-41089 (Windows Netlogon, CVSS 9.8, CWE-121 stack buffer overflow): unauthenticated remote attacker over the network reaches the domain-controller Netlogon RPC endpoint; Microsoft marks "Exploitation Less Likely" but ZDI flags the pattern as wormable-candidate. CVE-2026-41096 (Windows DNS Client, CVSS 9.8, CWE-122 heap overflow in dnsapi.dll): a crafted DNS response from a MitM or rogue resolver yields code execution as NetworkService on every Windows host; defender exposure is anywhere a host might receive an attacker-influenced DNS reply. CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1, "Exploitation More Likely"): unauthenticated attacker forges an Entra ID credential to sign in to self-managed Atlassian; affects public-sector DevSecOps stacks using Microsoft's Entra-ID auth plugin. CVE-2026-42898 (Dynamics 365 On-Premises, CVSS 9.9): authenticated code injection with scope change — a rare privilege-boundary violation in this product family. Four Microsoft Word RCEs (CVE-2026-40361 / CVE-2026-40364 / CVE-2026-40366 / CVE-2026-40367, CVSS 8.4 each) have the Preview Pane as an attack vector and two are rated "Exploitation More Likely". MITRE ATT&CK mappings: T1210 Exploitation of Remote Services (Netlogon), T1071.004 Application Layer Protocol: DNS (DNS Client), T1078.004 Cloud Accounts (Entra forgery). Detection concepts: monitor Netlogon authentication-pattern anomalies (4624 Logon Type 3 to DCs from unexpected internal sources, paired with 4769 ticket-request anomalies); alert on outbound DNS to non-corporate resolvers from DC and member hosts; audit Atlassian SSO plugin version inventory; disable Outlook Preview Pane as an interim mitigation for Word RCEs. Hardening: prioritise DCs first (Netlogon is on the DC boundary); inventory dnsapi.dll patch state across the fleet; inventory self-managed Atlassian deployments and apply the SSO plugin update before the next work week.

Microsoft's Autonomous Code Security team published a detailed technical disclosure on 2026-05-12 of MDASH, an AI-orchestrated vulnerability-discovery pipeline running over 100 specialised agents across an ensemble of frontier and distilled models (Microsoft Security Blog, 2026-05-12). The pipeline executes a five-stage prepare → scan → validate → dedup → prove loop that ends with an automated end-to-end exploitability proof before a finding is sent to engineering — meaning every MDASH-disclosed CVE was validated as practically exploitable, not just theoretically reachable. In MDASH's first production run against Windows the harness produced 16 previously unknown CVEs concentrated in the network-exposed kernel attack surface — tcpip.sys (Windows TCP/IP stack), ikeext.dll (the Windows IKEv2 keying service for DirectAccess and Always-On VPN), netlogon.dll, and dnsapi.dll — split as 10 kernel-mode and 6 user-mode bugs, including four Critical RCEs. The harness scored 88.45% on the public CyberGym benchmark (1,507 real-world CVEs across 188 open-source projects) and achieved 100% recall on the tcpip.sys historical-CVE corpus (The Register, 2026-05-13). Microsoft has scheduled a customer-facing preview of the harness for June 2026.

Defender takeaway: Two operational implications. First, the MDASH-discovered Windows CVEs (a substantial subset of the May 2026 Patch Tuesday in § 2) should be treated as "practically exploitable" even without observed ITW activity, because the proof-of-exploitability stage runs before disclosure — that lifts these above the typical "Less Likely / More Likely" scoring noise. Second, the ikeext.dll surface is directly relevant to EU public-sector remote-access deployments: DirectAccess and Always-On VPN are widely deployed as the AD-integrated remote-access primitive across Swiss federal and EU government estates; any unauthenticated bug in ikeext.dll is a remote-perimeter risk. Mapped to T1190 Exploit Public-Facing Application and T1133 External Remote Services. Hardening: expedite May 2026 cumulative update on internet-exposed Windows hosts with DirectAccess / Always-On VPN; verify the network-perimeter ACL still scopes IKEv2 reach to known client networks.

UPDATE (originally covered 2026-05-09): Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH initial access → shell spawn → execution of an ELF binary that triggers the LPE primitive in either CVE-2026-43284 (xfrm-ESP page-cache write) or CVE-2026-43500 (RxRPC page-cache write). This is the first formal "exploited in the wild" attribution since the V4bel write-up published on 2026-05-07.

Red Hat published RHSB-2026-003 covering both CVEs on 2026-05-07 and updated it on 2026-05-09, with backported errata rolling out to RHEL 8/9/10 and OpenShift 4 (Red Hat RHSB-2026-003). NCSC.ch issued Security Hub post 12547 on 2026-05-08 noting "Proof of Concept Available" and advising temporary blacklisting of the esp4, esp6 and rxrpc kernel modules pending distribution backports. Belgium's CCB issued a parallel advisory (CCB Belgium, 2026-05-08).

The upstream xfrm-ESP fix merged on 2026-05-07 (kernel commit referenced by V4bel and corroborated by Red Hat); the RxRPC fix was still pending in the netdev tree at time of writing. AlmaLinux backported kernels on 2026-05-08; Ubuntu noted fixes will arrive via the kernel image package. Defender hunt focus: outbound SSH-to-unprivileged-shell-to-ELF-execution chains immediately followed by setuid(0) or su invocations, plus suspicious setsockopt(AF_ALG) patterns on the esp4/esp6/rxrpc modules followed by splice() syscalls into the page cache of read-only files. The Microsoft post emphasises that the page-cache write primitive bypasses on-disk file integrity monitoring (AIDE / IMA-EVM / auditd watch rules) — post-incident forensics must compare in-memory page contents against on-disk checksums, not just md5sum of the file.

Mitigation note (carried from 2026-05-09): on Ubuntu where unprivileged user namespaces are blocked by default, the esp4/esp6 path is harder to reach because CAP_NET_ADMIN is required — but the RxRPC path remains exploitable without user-namespaces; the two CVEs are designed to complement each other. Where IPsec is in use, Red Hat suggests kernel.unprivileged_userns_clone=0 (sysctl) as a less disruptive mitigation than full esp4/esp6 module blacklisting. AFS users cannot blacklist rxrpc without losing AFS — wait for the distribution backport.

Pull Red Hat / AlmaLinux / openSUSE / Ubuntu kernel updates for CVE-2026-43284 (xfrm-ESP) and CVE-2026-43500 (RxRPC) as they land; Red Hat RHSB-2026-003 was updated 2026-05-09 and errata are rolling to RHEL 8/9/10. Where patches are not yet available, blacklist the esp4 / esp6 / rxrpc modules via /etc/modprobe.d/ after assessing IPsec / AFS dependencies — or, less disruptive on Ubuntu-style estates with default-blocked user namespaces, set kernel.unprivileged_userns_clone=0 via sysctl. Post-incident forensics on suspected Dirty Frag compromise cannot rely on md5sum of files (the primitive writes to page cache, not disk) — compare in-memory page contents against authoritative checksums.

CVE-2026-26030 (CWE-94, CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function. An f-string composes the LINQ-like filter expression directly from an LLM-controlled parameter rather than parameterising it; the SDK applies a blocklist validator that an attacker bypasses with the well-known __class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, escaping the validator and yielding os.system-equivalent execution on the host running the agent. Affected versions: Python SDK < 1.39.4. CVE-2026-25592 (CWE-22, CVSS 9.9) is a class-design flaw in the .NET SDK: SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync carry a [KernelFunction] attribute that should not have been applied — the LLM can therefore call those methods directly with attacker-chosen path arguments, yielding an arbitrary file-write primitive that breaks containment from the Azure Container Apps Python sessions sandbox into the host filesystem of the agent process. Affected versions: .NET SDK < 1.71.0. Both issues require only that an attacker can inject prompt content the agent consumes (user input, retrieved RAG documents, tool outputs) and that the agent is using a default-configured Search Plugin or Sessions Python plugin (Microsoft Security Blog, 2026-05-07 · GitHub Security Advisory GHSA-xjw9-4gw8-4rqx, 2026-05-07 · GitHub Security Advisory GHSA-2ww3-72rp-wpp4, 2026-05-07).

A working PoC for CVE-2026-26030 is public in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post; no in-the-wild exploitation has been reported. Patches: Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 — note that the GitHub Security Advisory for CVE-2026-25592 records 1.39.3 as its minimum patched Python version, and 1.39.4 (the patched version for CVE-2026-26030) supersedes 1.39.3 and closes both CVEs. Microsoft characterises both flaws as systemic of agentic-AI patterns that "trust LLM-controlled parameters without explicit validation" — readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks. Full deep dive in § 5.

Upgrade Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 (Microsoft Security Blog, 2026-05-07). Audit every [KernelFunction]-decorated method in your codebase for path, file-handle, raw-string-into-code, SQL, and URL parameter types; remove the decorator from anything that does not need to be LLM-callable. If upgrade is blocked, implement a Function Invocation Filter as a near-term mitigation. Apply the same hygiene check to LangChain, CrewAI, AutoGen and Haystack agents — the class of bug is not Microsoft-specific.

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.