AI Security Roundup: Defender Zero-Days Under Active Exploitation, YellowKey BitLocker Bypass Gets Mitigated, and Claude Code’s Silent Sandbox Fix

Three stories dominated the AI security feed this past week: Microsoft confirmed active in-the-wild exploitation of two Defender flaws it has since patched, a researcher called out Anthropic for quietly fixing a Claude Code sandbox bypass without any user notice, and Google’s Chrome advisories hinted that AI tooling is now discovering vulnerabilities at a scale that wasn’t possible a year ago. Here’s what happened and why it matters if you’re running Microsoft workloads.

Microsoft Defender Zero-Days Confirmed Exploited in the Wild

Microsoft disclosed that two vulnerabilities in the Microsoft Defender Antimalware Platform are under active exploitation. The first, CVE-2026-41091 (CVSS 7.8), is a privilege escalation flaw caused by improper link resolution before file access — a successful attacker can reach SYSTEM-level privileges. The second, CVE-2026-45498 (CVSS 4.0), is a denial-of-service bug. Both have been patched in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively. A third flaw addressed in the same update, CVE-2026-45584 (CVSS 8.1), is a heap-based buffer overflow capable of remote code execution — no evidence of exploitation in the wild yet. The CVE descriptions overlap with the “RedSun” and “UnDefend” techniques publicly released by the researcher known as Chaotic Eclipse (aka Nightmare-Eclipse), and Huntress has observed attacks using all three methods alongside a third technique called BlueHammer. If your Defender signatures aren’t auto-updating or you’re in a managed environment with update controls, verify you’re on the patched platform versions now. (The Hacker News, May 21)

YellowKey BitLocker Bypass Gets Mitigations — But No Full Patch Yet

Microsoft released official mitigations for CVE-2026-45585 (CVSS 6.8), the so-called YellowKey vulnerability that allows an attacker with physical access to bypass BitLocker using a USB drive and a Windows Recovery Environment trick. The exploit uses a malicious FsTx directory on the USB to trigger Transactional NTFS replay, which deletes winpeshl.ini from the System32 folder during WinRE boot — dropping the attacker into a command prompt with the underlying partition’s BitLocker encryption unlocked. Microsoft’s mitigation involves removing autofstx.exe from the WinRE image on each device and re-establishing BitLocker trust; the company also recommends adding a BitLocker PIN, though the researcher behind the exploit claims the bypass works even with TPM+PIN configurations. This is still a physical-access requirement, but it’s worth flagging for hybrid work environments where unattended devices travel. (SecurityWeek, May 20)

Anthropic Quietly Patched a Claude Code Sandbox Bypass — Users Never Told

Researcher Aonan Guan disclosed a SOCKS5 hostname null-byte injection flaw in Claude Code’s network sandbox. The sandbox is supposed to enforce an outbound allowlist, but Guan showed that sending a hostname like attacker-host.com caused the filter to approve the connection (seeing the trailing .google.com) while the OS truncated at the null byte and actually dialed the attacker’s host. Anthropic fixed the issue in Claude Code version 2.1.88, shipped March 31 — before Guan’s HackerOne report on April 3 — but issued no CVE, no release notes mention, and no user notification. This matters particularly because the sandbox bypass chains naturally with prompt injection: Guan’s earlier “Comment and Control” research showed that AI agents running in GitHub Actions could be hijacked via malicious PR comments, and a sandbox bypass is exactly what makes that exfiltration-capable. A related earlier bypass (CVE-2025-66479) that caused the sandbox to treat block-all as allow-all was fixed in November 2025 with similarly minimal disclosure. If you’re running Claude Code agents in CI/CD pipelines, confirm you’re on a current version and check that your outbound egress controls aren’t delegated entirely to the tool’s own sandbox. (SecurityWeek, May 20)

AI Is Now Finding Hundreds of Vulnerabilities in Chrome — and Likely Elsewhere

Google’s Chrome security advisories started listing “reported by Google” for a handful of vulnerabilities in March, but the count jumped to 16 in the April 15 release, 21 on April 28, then hit 100 in the May 5 advisory. More than 70 additional internally-found flaws appeared across the two most recent releases. Google hasn’t officially confirmed AI as the driver, but their own language when they announced reduced bug bounties — noting that AI and automation are helping teams move at an unprecedented rate — makes the picture clear enough. Microsoft and Palo Alto have also credited AI tools with large vulnerability discovery runs in recent months. This isn’t a threat story, but it is a signal: the attack surface audit that used to take quarters is starting to take days, and that pressure will land on the defensive side of Microsoft environments (Windows, Edge, M365) whether or not your team is driving it. (SecurityWeek, May 21)

What to Watch

Chaotic Eclipse has been dropping Windows zero-days at a steady clip for the past six weeks — YellowKey, GreenPlasma, MiniPlasma, BlueHammer, RedSun, UnDefend — and not all of them have full patches yet. Keep an eye on MSRC for updates, and if you’re managing Defender policy centrally through Intune or Defender for Endpoint, confirm your platform version telemetry is surfacing in your Sentinel workspace so you can detect endpoints running vulnerable antimalware versions.