DocsQuick StartAI News
AI NewsMicrosoft MDASH framework tops CyberGym: 100+ models collaboratively uncover 16 Windows 11 vulnerabilities
Industry News

Microsoft MDASH framework tops CyberGym: 100+ models collaboratively uncover 16 Windows 11 vulnerabilities

2026-05-13T07:13:18.506Z
Microsoft MDASH framework tops CyberGym: 100+ models collaboratively uncover 16 Windows 11 vulnerabilities

Microsoft CEO Satya Nadella officially announced the MDASH security framework, which integrates over 100 intelligent agents with frontier and distilled models. It achieved a top score of 88.45% on the CyberGym benchmark, and among the 120 Windows 11 vulnerabilities fixed on the May Patch Tuesday, 16 were discovered by it.

Microsoft MDASH Framework Tops CyberGym: 100+ Models Collaborate to Identify 16 Windows 11 Vulnerabilities

Microsoft CEO Satya Nadella announced today (May 13) on platform X a noteworthy development: during yesterday’s Patch Tuesday event, 16 of the 120 vulnerabilities fixed in Windows 11 were discovered by Microsoft’s self-developed AI security system MDASH. This is not a demo—it’s real CVEs caught directly in a production environment.

Behind this figure is over a year’s effort by Microsoft’s Autonomous Code Security (ACS) team. MDASH (Multi-agent Debate and Scan Hierarchy) is a multi-model intelligent agent framework for security scanning. Its core idea is to employ more than 100 specialized agents working in coordination, combining state-of-the-art large models with distilled small models to cover the complete workflow of vulnerability discovery, debate verification, deduplication, and proof generation, ultimately producing verifiable vulnerability reports.

88.45% Tops CyberGym, 5 Percentage Points Ahead of the Runner-up

Microsoft’s official blog detailed MDASH’s performance across multiple benchmarks. The most impressive is the CyberGym public benchmark—a dataset containing 1,507 real vulnerability tasks—where MDASH achieved an 88.45% score, about 5 percentage points ahead of the second place (83.1%).

Even more impressive are the historical vulnerability recall tests. On 28 Microsoft Security Response Center (MSRC) cases for clfs.sys from the past five years, MDASH achieved a 96% recall rate; for seven cases in tcpip.sys, recall was a perfect 100%.

On a never-before-published private driver, StorageDrive, MDASH identified all 21 injected vulnerabilities with zero false positives. The “zero false positives” part is critical—security teams’ biggest headache is being buried under false alarms, which makes real vulnerabilities easy to miss.

MDASH framework performance comparison on CyberGym benchmark, showing 88.45% leading the second place

Adversarial Verification: Letting Two Agents Challenge Each Other

The biggest issue with traditional static analysis tools is their high false positive rate. MDASH addresses this by introducing an adversarial process: one agent marks suspicious code paths, while another is tasked with refuting them. Only results that withstand cross-validation are submitted to engineers.

It’s a clever design. A single model can easily be misled by a local code snippet, misidentifying something that “looks like a vulnerability but isn’t.” But if another model analyzes from the opposite angle, trying to prove “this is not a vulnerability,” weak false positives are filtered out.

Microsoft’s blog examined two classic cases in detail:

Case 1: CVE-2026-33827 in tcpip.sys

This is a Use-After-Free (UAF) vulnerability, located in the SSRR (Strict Source Route Record) handling logic. The issue involves complex control flows, reference-counted object lifecycles, and concurrent release paths—making it hard for a single model to spot the use-after-free risk based on local code alone.

MDASH’s approach: one agent tracks the object’s lifecycle, another analyzes concurrency paths, and a third verifies release timing. Their combined conclusions confirmed this as a severe, remotely triggerable, credential-free vulnerability.

Case 2: CVE-2026-33824 in ikeext.dll

This is a Double Free vulnerability spanning six source files, essentially caused by aliasing from shallow copies. During IKEv2 protocol handling, the same memory block is referenced by two different pointers, and because alias relationships weren’t properly handled during deallocation, the same memory was freed twice.

Traditional tools struggle to detect such cross-file, cross-module vulnerabilities, since each file looks fine in isolation—the issue lies in module interaction. Through multi-agent collaboration, one MDASH agent tracked memory allocation, another tracked pointer aliases, and a third verified deallocation logic—ultimately uncovering this deeply hidden vulnerability.

May Patch Tuesday: 16 CVEs Found by MDASH

During the May 12 Patch Tuesday event, Windows 11 fixed 120 vulnerabilities, 16 of which were assisted by MDASH. These 16 CVEs span multiple core components:

  • tcpip.sys: network protocol stack, SSRR remote unauthenticated UAF
  • ikeext.dll: IKEv2 protocol handler, double free
  • http.sys: HTTP protocol stack
  • netlogon.dll: domain controller authentication, stack overflow
  • dnsapi.dll: DNS client, heap out-of-bounds

Of these 16 vulnerabilities, 10 are kernel-mode and 6 user-mode, most reachable remotely without credentials. Critical ones include tcpip.sys’s remote UAF, ikeext.dll’s double free, netlogon.dll’s stack overflow, and dnsapi.dll’s heap overflow.

Their common traits: complex, hidden, and cross-module. Traditional fuzzing and static analysis tools rarely reach such cases—but MDASH’s multi-agent collaboration cracked these “tough nuts.”

AI Agent Security: An Overlooked Systemic Risk

Interestingly, Microsoft’s MDASH announcement coincides with a new academic report on AI agent security. A joint study by Stanford, MIT, CMU, ITU Copenhagen, and NVIDIA found that among 847 production-deployed autonomous agents, 91% had toolchain attack vulnerabilities, 89.4% exhibited goal drift after about 30 steps, and 94% of memory-augmented agents were vulnerable to “poisoning.”

The contrast is fascinating. Microsoft uses AI agents to catch vulnerabilities—but AI agents themselves are high-risk targets. The OpenClaw/Moltbook incident of early 2026 was a typical example: a single vulnerability in Moltbook’s platform database led to the simultaneous compromise of 770,000 running AI agents, each holding privileged access to users’ devices, email, and files.

AI agents are more fragile than traditional LLMs because LLM security focuses on “whether the model can say unsafe things,” while agent security concerns “whether the model can do unsafe things”—including tool calls with real-world impact, state modifications affecting future behavior, and multi-step plans that only later violate rules.

MDASH Architecture: Hybrid of Cutting-edge and Distilled Models

The core MDASH design is a hybrid of “cutting-edge models + distilled models.” Cutting-edge models (e.g., GPT-4, Claude 3.5) handle complex reasoning and global analysis, while distilled models (e.g., Phi-3, Mistral 7B) handle fast scanning and local verification.

The advantage: cutting-edge models are powerful but costly and slow, unsuitable for large-scale scans; distilled models are faster and cheaper but less capable—ideal for initial triage. Combining both ensures coverage while controlling cost.

Workflow:

  1. Discovery Phase: distilled models quickly scan codebases and flag suspicious paths
  2. Debate Phase: cutting-edge models perform in-depth analysis; one argues “this is a vulnerability,” the other “this is not”
  3. Deduplication Phase: overlapping findings representing the same underlying issue are merged
  4. Verification Phase: generate Proof of Concept (PoC) code to test exploitability
  5. Proof Phase: generate detailed vulnerability report with trigger path, impact scope, and remediation advice

Throughout the process, over 100 specialized agents take distinct roles—tracking memory allocation, analyzing concurrency, verifying release logic, or generating PoCs. This “division of labor” approach is far more efficient than a single large model doing everything at once.

Compared to Traditional Tools: Where MDASH Excels

Traditional vulnerability scanners fall into three main types:

  1. Static Analysis Tools (e.g., Coverity, Fortify): analyze source or binaries to identify potential issues—high coverage but high false positives, poor at complex control flows.
  2. Dynamic Analysis Tools (e.g., Fuzzing): generate massive test cases to trigger crashes during execution—low false positives but low coverage, weak at deep logic.
  3. Symbolic Execution Tools (e.g., KLEE, angr): symbolic inputs explore all possible paths—comprehensive in theory but struggle with path explosion, scaling poorly to large codebases.

MDASH’s advantages:

  • High Recall Rate: multi-agent cooperation covers complex cases hard for traditional tools
  • Low False Positives: adversarial verification filters out false alarms
  • Scalability: distilled models for triage, cutting-edge ones for deep analysis—cost manageable
  • Explainability: detailed, verifiable vulnerability reports including trigger paths and remedies

Of course, MDASH has limitations:

  • Model Dependency: if underlying models don’t understand a vulnerability pattern, MDASH can’t catch it
  • Cost: even with distilled models, reasoning cost of advanced models remains high
  • Speed: multi-round agent interactions are slower than conventional tools

Industry Impact: AI-driven Security Toolchains Taking Shape

MDASH’s launch signals AI-driven security toolchains are moving from labs to production. Over the past year, several parallel efforts have emerged:

  • Tencent Cloud’s NeuroSploit: a multi-agent collaborative penetration testing system boosting vulnerability discovery success to 58.2%
  • Microsoft’s AI Agent Runtime Protection Toolkit: focused on runtime safety and enterprise-grade governance
  • Microsoft’s AI Agent Failure Whitepaper: a comprehensive analysis of malicious agent attack patterns

Common traits: they no longer rely on manually written rules, but let AI learn vulnerability patterns autonomously. This “AI secures AI” philosophy could define the next generation of security tooling.

At the same time, agent security itself cannot be ignored. Studies from Stanford and others show 91% of production AI agents have toolchain vulnerabilities and 94% are vulnerable to poisoning—meaning that while AI hunts vulnerabilities, we must also secure AI.

Developer Perspective: What MDASH Offers

For developers, MDASH means:

  1. Reduced False Positives: traditional static analysis tools have false positive rates above 90%; developers waste time triaging noise. MDASH’s adversarial verification brings this near zero, letting teams focus on real issues.
  2. Deep Vulnerability Discovery: traditional tools miss cross-module and cross-file flaws; MDASH’s agents cover these.
  3. Faster Fix Cycles: MDASH reports include trigger paths, impact, and fixes, speeding remediation.
  4. Lower Security Costs: traditional audits require expensive, time-consuming expert teams; MDASH automates most of it.

MDASH remains internal to Microsoft, not publicly available. But its design principles could be replicated using open-source models and frameworks. Developers can adopt MDASH’s methodology to build their own scanning toolchains.

Future Outlook: The Next Steps for AI Security Tools

MDASH’s success proves multi-agent collaboration works in cybersecurity, but this is just the beginning. Future directions include:

  1. More Specialized Agents: today’s MDASH uses general-purpose models; task-specific training could further boost accuracy.
  2. Real-time Security Monitoring: expanding from code auditing to runtime threat detection and prevention.
  3. Cross-language Support: today focused on C/C++; future-ready for Java, Python, Rust, and more.
  4. Open Ecosystem: opening source or APIs would greatly accelerate AI security adoption.
  5. Agent Self-Security: securing the agents themselves must be part of any mature AI governance strategy.

As AI advances, security tooling evolves rapidly. MDASH marks the transition from lab experiments to production deployment in AI-driven security. For developers, it is both an opportunity and a challenge: AI can help discover more vulnerabilities and enhance security—but AI itself may become an attack surface, demanding careful use and governance.

Microsoft’s public MDASH announcement is not only a showcase of technical might, but also a wake-up call for the industry: AI security isn’t a future concern—it’s a challenge we must face right now.


References

Related Articles

View All

Contact Us

We usually reply quickly during business hours

Scan WeChat

Support: Hub Assistant

WeChat ID: