Microsoft AI Finds 4 Critical Windows RCE Flaws

Microsoft's new agentic security system has discovered 16 new vulnerabilities in Windows, including four critical remote code execution flaws. This system, called MDASH, uses over 100 specialized AI agents. What's interesting is that two of these critical flaws, CVE-2026-40361 and CVE-2026-40364, are considered more likely to be exploited. Microsoft built MDASH to find, debate, and validate vulnerabilities end-to-end. The company tested MDASH against a private Windows driver with 21 intentionally injected flaws, and MDASH found all of them without false positives. This shows its ability to approximate professional offensive researchers. MDASH also achieved a 96% recall rate against five years of confirmed Microsoft security vulnerabilities in clfs.sys and 100% in tcpip.sys. It scored 88.45% on the public CyberGym benchmark, placing it at the top of the leaderboard. The bottom line: AI-powered vulnerability discovery is moving from research to production-grade defense, potentially changing how software security is managed.