8 ATR Rules That Catch Microsoft Semantic Kernel CVE-2026-25592/26030
On 2026-05-07 Microsoft disclosed two CVEs in Semantic Kernel: CVE-2026-26030 (in-memory vector store unsafe string interpolation enabling Python class hierarchy traversal to RCE) and CVE-2026-25592 (KernelFunction-exposed file-write primitive enabling persistence via Windows Startup). Microsoft AGT already deploys 287 ATR rules. Here is the 8-rule mapping that catches the attack class at runtime, with the bridge issue filed upstream.
The Disclosure
Microsoft Security Blog published two CVE advisories on 2026-05-07 affecting Semantic Kernel:
- ●CVE-2026-26030 — In-memory vector store unsafe string interpolation in a lambda filter. An attacker who controls vector content can traverse the Python class hierarchy via the interpolated lambda and reach
__subclasses__ofobject. End state: arbitrary Python evaluation, RCE. - ●CVE-2026-25592 — A
KernelFunctionexposes a file-write primitive without scope validation. An agent under prompt influence writes to the Windows Startup directory. End state: RCE on next reboot, persistent.
Affected versions: Semantic Kernel Python <1.39.4, .NET <1.71.0. Patches available now.
Why This Matters For Microsoft AGT
Microsoft Agent Governance Toolkit already deploys 287 ATR rules via the weekly auto-sync we built with the AGT team in Q1. These two CVEs are textbook agent runtime attacks — they are exactly the threat class ATR was designed to detect.
Patching closes the specific vulnerabilities. ATR rules close the attack class at runtime, including variants that have not been disclosed yet.
CVE-2026-26030 — Rule Mapping
| Rule ID | Pattern | Coverage |
|---|
|---|---|---|
| ATR-2026-00110 | eval-injection | direct — flags string-interpolated eval/exec/lambda construction |
|---|
| ATR-2026-00112 | dynamic-import-exploitation | direct — detects __subclasses__, __import__, __bases__ traversal |
|---|
| ATR-2026-00111 | shell-escape | adjacent — catches RCE shell payloads that land after the eval primitive |
|---|
| ATR-2026-00066 | parameter-injection | upstream — flags user-controlled content reaching dangerous sinks |
|---|
ATR-2026-00112 specifically tracks the Python class hierarchy traversal idiom (().__class__.__bases__[0].__subclasses__()) that is the canonical escape from a sandbox to arbitrary execution.
CVE-2026-25592 — Rule Mapping
| Rule ID | Pattern | Coverage |
|---|
|---|---|---|
| ATR-2026-00204 | stealth-execution-persistence | direct — flags writes to Startup/Run/Task Scheduler locations |
|---|
| ATR-2026-00123 | skill-overreach-permissions | direct — flags skills with filesystem access disproportionate to declared purpose |
|---|
| ATR-2026-00041 | scope-creep | direct — detects agent operations outside its declared scope |
|---|
| ATR-2026-00064 | over-permissioned-skill | upstream — pre-deployment flag for skills that expose file-write without justification |
|---|
ATR-2026-00204 is the runtime detector. ATR-2026-00064 is the pre-deployment audit gate that would have caught the over-broad KernelFunction during skill review before it ever reached production.
The Upstream Bridge
We filed microsoft/agent-governance-toolkit#1937 walking through both CVEs with the 8-rule mapping and confirming which rules are already in the AGT 287-rule pack versus the 43 rules in the full 336-rule corpus that are not yet synced.
Quick status:
- ●6 of 8 rules in the mapping are already deployed in AGT today
- ●2 rules (ATR-2026-00204, ATR-2026-00112) are in the full corpus and pending the next sync cycle
AGT runs against agent skill manifests at build time and against agent runtime telemetry. Both CVEs hit detectable signatures in both lanes.
Takeaway
CVE patches fix the bug. Detection rules fix the bug class. The two CVE patterns disclosed this week are not the last of their kind — string interpolation into dynamic evaluation and over-permissioned skill primitives will continue to ship in agent frameworks. Detection at the attack-class layer is durable; per-CVE patching is not.