How to Fix Microsoft Defender Zero-Day Vulnerabilities CVE-2026-41091 and CVE-2026-45498

Microsoft patched two actively exploited zero-day vulnerabilities in Microsoft Defender on May 19, 2026. Both flaws are confirmed to be exploited in the wild, and CISA has added them to its Known Exploited Vulnerabilities catalog. If you run Windows, you need to verify that your Defender update installed correctly.

Microsoft Defender Zero-Day Patch Fix (CVE-2026-41091)

This guide explains what each vulnerability does, which systems it affects, and exactly how to confirm your device is protected.

What Is CVE-2026-41091

CVE-2026-41091 is a privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll). It carries a CVSS severity score of 7.8 out of 10, rated High.

The flaw comes from an improper link resolution before file access weakness, also classified as CWE-59 (link following). An attacker with low-level local access can exploit this flaw to gain SYSTEM-level privileges on the target machine, which is the highest privilege level on a Windows device.

DetailValue
CVE IDCVE-2026-41091
ImpactElevation of Privilege
CVSS Score7.8 / 6.8
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
Publicly DisclosedYes
Actively ExploitedYes

The last affected version of the Microsoft Malware Protection Engine is 1.1.26030.3008. The fix ships in version 1.1.26040.8.

What Is CVE-2026-45498

CVE-2026-45498 is a denial-of-service (DoS) vulnerability in the Microsoft Defender Antimalware Platform. It carries a CVSS severity score of 4.0, rated Low for severity, but Microsoft and CISA both confirm active exploitation in the wild.

Successful exploitation lets an attacker trigger a denial-of-service state on unpatched Windows devices, effectively disabling protection at a critical moment.

DetailValue
CVE IDCVE-2026-45498
ImpactDenial of Service
CVSS Score4.0 / 3.5
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Publicly DisclosedYes
Actively ExploitedYes

The last affected version of the Microsoft Defender Antimalware Platform is 4.18.26030.3011. The fix ships in version 4.18.26040.7.

Which Products Are Affected

Both vulnerabilities affect Microsoft Defender and products that rely on the same underlying engine and platform:

  • Microsoft Defender (all supported Windows versions)
  • Microsoft System Center Endpoint Protection
  • Microsoft System Center 2012 R2 Endpoint Protection
  • Microsoft System Center 2012 Endpoint Protection
  • Microsoft Security Essentials

If you run any of these products and have not verified your update, your device may still be vulnerable.

Note for administrators: If Windows Defender is disabled in your environment, vulnerability scanners may still flag your devices. The Defender binaries remain on disk even when the service is off. However, disabled systems are not in an exploitable state.

How Microsoft Fixed the Vulnerabilities

Microsoft released two updated components to address the flaws:

  • Malware Protection Engine 1.1.26040.8 patches CVE-2026-41091
  • Antimalware Platform 4.18.26040.7 patches CVE-2026-45498

Under the default Windows Defender configuration, these updates install automatically. Microsoft’s default antimalware configuration keeps malware definitions and the Malware Protection Engine current without requiring user action.

However, because both vulnerabilities are actively exploited, you should manually verify the update landed on your device.

How to Verify Your Microsoft Defender Is Updated

Follow these steps to confirm your system received the patch:

Step 1: Press the Windows key, type Security in the search bar, and select Windows Security from the results.

Step 2: In the left navigation pane, select Virus and threat protection.

Step 3: Under the Virus and threat protection section, click Protection updates.

Step 4: Click Check for updates. Allow Windows to download and install any pending updates.

Step 5: Go back to the navigation pane, select Settings, then select About.

Step 6: Check the Antimalware Client Version number.

  • If the Malware Protection Engine version shows 1.1.26040.8 or higher, you are protected against CVE-2026-41091.
  • If the Antimalware Platform version shows 4.18.26040.7 or higher, you are protected against CVE-2026-45498.

If either version number is lower than those thresholds, run Check for updates again and restart your device if prompted.

How Often Does Microsoft Update Defender

Microsoft typically releases a Malware Protection Engine update once a month or as needed to address new threats. Malware definitions update three times daily under normal conditions, and Microsoft increases that frequency during active threat campaigns.

Depending on your configuration, Defender may check for platform, engine, and definition updates every time your device connects to the internet, or multiple times per day. You can also trigger a manual check at any time through the Protection updates screen.

CISA Order and Federal Deadline

On May 20, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate both vulnerabilities by June 3, 2026. Agencies that cannot apply the patch must discontinue use of the affected software.

CISA’s advisory stated: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”

Although the BOD 22-01 deadline applies only to federal agencies, CISA urges all organizations to treat KEV catalog vulnerabilities as high-priority remediation items in their vulnerability management workflow.

What to Do If the Update Did Not Install

If your Defender version remains below the patched thresholds after running a manual update check, try these steps:

  1. Restart your device and check again. Some updates require a reboot to complete installation.
  2. Open Windows Update (Settings > Windows Update) and install any pending updates. Platform updates sometimes arrive through Windows Update rather than through Defender’s own update channel.
  3. On enterprise systems, confirm that your software distribution or endpoint management tool (such as WSUS, SCCM, or Intune) is configured to push Windows Defender updates automatically.
  4. If you manage devices through Microsoft Defender for Endpoint, verify that the update baseline policy in your tenant includes the patched engine and platform versions.

If you continue to see a version below the patched threshold, check Microsoft’s documentation for Manage Updates Baselines Microsoft Defender Antivirus to troubleshoot your update channel.

Microsoft Defender Zero-Day Patch

CVETypeAffected ComponentFixed VersionSeverity
CVE-2026-41091Elevation of PrivilegeMalware Protection Engine1.1.26040.8High (7.8)
CVE-2026-45498Denial of ServiceAntimalware Platform4.18.26040.7Low (4.0)

Both vulnerabilities are actively exploited. Check your Antimalware Client Version in Windows Security > About to confirm your device is protected. If the update has not installed, run a manual check for updates and restart your device.

Related Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply