Attackers Are Using Microsoft Defender Against You: Fix CVE-2026-41091 and CVE-2026-45498 Now

The software running on your PC right now to block attackers has two confirmed vulnerabilities that attackers are already exploiting. Microsoft Defender, installed by default on every Windows device, is the target.

Microsoft patched two actively exploited zero-days on May 19, 2026. The first, CVE-2026-41091, lets an attacker escalate privileges all the way to SYSTEM level through the Malware Protection Engine. The second, CVE-2026-45498, knocks Defender offline entirely with a denial-of-service attack, leaving your device without any active threat detection.

Attackers Are Using Microsoft Defender Against You: Fix CVE-2026-41091 and CVE-2026-45498 Now

Both flaws carry confirmed in-the-wild exploitation. CISA added them to its Known Exploited Vulnerabilities catalog the following day and ordered federal agencies to patch by June 3, 2026. If you have not verified your Defender version since May 19, your device may still be exposed.

What Is CVE-2026-41091?

CVE-2026-41091 is a privilege escalation vulnerability in Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. It stems from an improper link resolution before file access (link following) weakness, classified as CWE-59.

In a link following attack, the product attempts to access a file by name but fails to block that filename from resolving to a symbolic link or shortcut that points to an unintended resource. An attacker who exploits this flaw on a vulnerable system gains SYSTEM-level privileges, the highest permission level available on Windows.

What Is CVE-2026-45498?

CVE-2026-45498 affects Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. Successful exploitation lets threat actors trigger a denial-of-service (DoS) state on the target device, taking Defender offline and leaving the system without active threat detection.

This platform also powers several related Microsoft security products:

  • Microsoft System Center Endpoint Protection
  • System Center 2012 R2 Endpoint Protection
  • System Center 2012 Endpoint Protection
  • Microsoft Security Essentials

If you run any of these products on an unpatched version, your systems remain at risk.

What Systems Are Affected?

Both vulnerabilities target Microsoft security components that ship with Windows by default. The affected versions are:

VulnerabilityComponentAffected Version
CVE-2026-41091Microsoft Malware Protection Engine1.1.26030.3008 and earlier
CVE-2026-45498Microsoft Defender Antimalware Platform4.18.26030.3011 and earlier

The patched versions are:

  • Microsoft Malware Protection Engine: 1.1.26040.8
  • Microsoft Defender Antimalware Platform: 4.18.26040.7

Any Windows device with automatic updates enabled should receive the fix automatically. However, default behavior does not guarantee that the update installed on schedule, so verifying manually is a critical step.

CISA Warning and Remediation Deadline

On May 20, 2026, CISA added both CVEs to its Known Exploited Vulnerabilities (KEV) Catalog as part of a batch of seven newly catalogued flaws.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must patch their Windows endpoints and servers by June 3, 2026.

CISA warned that this class of vulnerability frequently serves as an entry point for malicious actors and poses significant risk to the federal enterprise. The agency directed all affected organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue the product if no mitigation is available.

While the BOD directive formally targets federal agencies, CISA strongly encourages every organization and individual user to treat the KEV catalog as a priority patching list. Active exploitation is confirmed on both CVEs, which means attackers are already deploying these flaws in real-world attacks.

Around the same time, CISA also published mitigations for YellowKey, a Windows BitLocker zero-day that lets attackers access the contents of protected drives without credentials.

Why Both Vulnerabilities Are Dangerous Together

CVE-2026-41091 and CVE-2026-45498 target different components of Defender but create a serious combined threat on a single unpatched machine.

An attacker could exploit CVE-2026-45498 first to trigger a DoS condition, knocking Defender offline and disabling real-time threat detection. With the security layer down, the same attacker could then use CVE-2026-41091 to escalate privileges to SYSTEM level without interference from the disabled antivirus component.

Microsoft has faced a steady wave of actively exploited zero-days this year. The company issued an emergency patch for a Microsoft Office zero-day (CVE-2026-21509) that allowed attackers to bypass built-in security protections. Google addressed a similar urgent situation with the Chrome zero-day CVE-2026-2441, the first confirmed Chrome zero-day of 2026.

How to Apply the Fix

Microsoft states that the default configuration in Microsoft antimalware software handles definition and platform updates automatically. In most cases, no manual action is required.

However, if your device has automatic updates restricted by group policy, a metered connection, or a delayed update ring, you should force a manual update immediately.

To manually update Windows Defender:

  1. Open Windows Security (type “Security” in the Start menu search bar and select the app).
  2. In the left navigation pane, select Virus and threat protection.
  3. Under the “Virus and threat protection updates” section, click Protection updates.
  4. Click Check for updates.

Windows will download and install the latest Malware Protection Engine and Antimalware Platform versions if they are not already present.

How to Verify the Update Was Installed

After running the update, confirm the correct engine and platform versions are active on your device.

  1. Open Windows Security.
  2. Select Virus and threat protection in the navigation pane.
  3. Click Protection updates under the Virus and threat protection updates section.
  4. Click Check for updates to confirm no pending updates remain.
  5. Return to the navigation pane and select Settings.
  6. Click About.
  7. Check the Antimalware Client Version number.

The update is installed successfully if your version number matches or exceeds:

  • Malware Protection Engine: 1.1.26040.8 or later
  • Antimalware Platform: 4.18.26040.7 or later

If your version falls below either of these numbers, run the update check again and restart your device if prompted.

Related Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply