MICROSOFT’S security post reveals that its new multi-model agentic scanning harness, codename MDASH, helped researchers uncover 16 CVEs across the Windows networking and authentication stack, including remote code execution flaws in tcpip[.]sys and an unauthenticated double-free in ikeext[.]dll. Across the Patch Tuesday cohort, the vulnerabilities span 10 kernel-mode and 6 user-mode issues, with several reachable from the network with no credentials.
The harness, which uses more than 100 specialized agents and an end-to-end prove pipeline, is designed to surface cross-file and cross-stage bugs that single-model systems miss, according to Microsoft Security Blog. In tests on StorageDrive, all 21 deliberately injected vulnerabilities were correctly identified with zero false positives, and the approach achieved 96% recall on clfs[.]sys and 100% recall on tcpip[.]sys against MSRC cases, plus an 88.45% CyberGym score on real-world tasks.
The post notes MDASH is being used in production contexts and is available for limited private preview, with the aim of making AI-driven vulnerability discovery scalable for defenders of all sizes. 12 May 2026.