Microsoft Defender privilege escalation and DoS vulnerabilities exploited in attacks
Summary
Hide ▲
Show ▼
Microsoft disclosed and patched two zero-day vulnerabilities in Windows Defender components that are being actively exploited in the wild. CVE-2026-41091 is a privilege escalation flaw in the Microsoft Malware Protection Engine affecting versions 1.1.26030.3008 and earlier, enabling attackers to gain SYSTEM privileges via improper link resolution (link following). CVE-2026-45498 is a denial-of-service (DoS) vulnerability in the Defender Antimalware Platform versions 4.18.26030.3011 and earlier, allowing threat actors to trigger DoS states on unpatched Windows devices. The flaws impact Windows Defender Antimalware Platform, System Center Endpoint Protection, and related security tools. Microsoft released updated engine versions 1.1.26040.8 and 4.18.26040.7 to remediate the issues, with automatic updates enabled by default in most configurations. CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and mandated Federal Civilian Executive Branch (FCEB) agencies to patch within two weeks under BOD 22-01.
Timeline
-
21.05.2026 10:49 1 articles · 0h ago
Microsoft Defender zero-days CVE-2026-41091 and CVE-2026-45498 added to KEV Catalog with federal patch deadline
CISA added Microsoft Defender privilege escalation (CVE-2026-41091) and DoS (CVE-2026-45498) vulnerabilities to the Known Exploited Vulnerabilities Catalog on May 20, 2026. Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-supplied patches or mitigations by June 3, 2026, in accordance with Binding Operational Directive (BOD) 22-01. The mandate applies to Windows endpoints and servers running affected Microsoft Defender components, including those used by System Center Endpoint Protection and Security Essentials.
Show sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
Information Snippets
-
CVE-2026-41091 is a privilege escalation vulnerability in Microsoft Malware Protection Engine (versions ≤ 1.1.26030.3008) arising from improper link resolution before file access, enabling attackers to gain SYSTEM privileges.
First reported: 21.05.2026 10:491 source, 1 articleShow sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
-
CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender Antimalware Platform (versions ≤ 4.18.26030.3011) that allows threat actors to trigger DoS states on unpatched Windows devices.
First reported: 21.05.2026 10:491 source, 1 articleShow sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
-
Microsoft released updated Malware Protection Engine version 1.1.26040.8 and Defender Antimalware Platform version 4.18.26040.7 to address the vulnerabilities.
First reported: 21.05.2026 10:491 source, 1 articleShow sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
-
Microsoft stated that default configurations in Microsoft antimalware software ensure automatic updates for malware definitions and the Windows Defender Antimalware Platform, reducing the need for manual user intervention.
First reported: 21.05.2026 10:491 source, 1 articleShow sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
-
CISA added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog and mandated Federal Civilian Executive Branch (FCEB) agencies to patch within two weeks under BOD 22-01.
First reported: 21.05.2026 10:491 source, 1 articleShow sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49