Submit finding

All findings

CVE-2026-33827 + 15 more critical

Microsoft MDASH publishes 16 Windows networking and authentication CVEs

Microsoft says its multi-model agentic scanning harness, codename MDASH, helped researchers find 16 CVEs across Windows networking and authentication code, including four Critical remote code execution flaws.

Bug class
Windows network-stack and authentication vulnerability-discovery cluster
Affected codebase
Windows TCP/IP, IKEEXT, Netlogon, DNS, HTTP.sys, Telnet
Credited system
Microsoft MDASH
Disclosed
May 12, 2026
Attribution
Direct source attribution
Severity
critical
Source status: Microsoft's May 12, 2026 Security Blog post directly names codename MDASH, says the 5.12.2026 Patch Tuesday cohort includes 16 CVEs found using the harness, and lists the CVE IDs, affected components, severity labels, and bug classes. MSRC/NVD-style records corroborate the public CVEs and security-update fixes.

Summary

Microsoft’s May 12, 2026 Security Blog post enumerates a 16-CVE cohort that Microsoft says was found using codename MDASH, its multi-model agentic scanning harness. The group spans tcpip.sys, ikeext.dll, netlogon.dll, dnsapi.dll, http.sys, and telnet.exe.

The highest-impact items in Microsoft’s table are four Critical remote code execution flaws:

The remaining CVEs cover denial of service, information disclosure, security feature bypass, elevation of privilege, and one additional Important remote code execution issue across Windows network-adjacent components.

Attribution

This is a direct-attribution entry. The primary source is Microsoft itself: the Security Blog post names codename MDASH, describes the scanning harness, lists the 16 CVEs in the Patch Tuesday cohort, and includes technical deep dives for CVE-2026-33827 and CVE-2026-33824.

The MSRC release and CVE pages are linked as corroborating public advisory records. They are not needed for the AI attribution; they confirm that the listed vulnerabilities were shipped as public security updates.

Why it matters

This is the strongest Microsoft-side bugflation signal so far. It is not a single assisted review or a retrospective benchmark: Microsoft says an internal AI vulnerability-discovery system fed directly into a monthly security release for Windows networking and authentication components.

The important operational signal is the combination of volume, target quality, and validation. Windows networking code is a mature, high-value target, and the published cohort includes remotely reachable Critical bugs where false positives would be expensive to triage.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.