About:
Microsoft has disclosed multiple vulnerabilities affecting Microsoft Defender and the Microsoft Malware Protection Engine that are actively exploited in the wild.
CVE-2026-41091 is an elevation of privilege vulnerability caused by improper link resolution before file access, also known as link following. A local attacker may exploit the flaw to gain elevated privileges and execute actions with higher integrity permissions on affected systems.
CVE-2026-45498 is a denial of service vulnerability affecting Microsoft Defender and the Microsoft Defender Antimalware Platform. Successful exploitation may disrupt Defender functionality and impact endpoint protection operations.
Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Microsoft Defender Elevation of Privilege Vulnerability
CVSS Score: 7.8 (High, CVSS v3.1)
Identifier: CVE-2026-41091
PoC or Exploitation:
Microsoft confirmed active exploitation of this vulnerability in the wild. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. There was currently no validated public proof-of-concept exploit.
Update/ Patch:
Microsoft has released updates addressing this vulnerability.
Affected versions include:
Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier
Fixed versions include:
Microsoft Malware Protection Engine version 1.1.26040.8 and later
Microsoft advisory and patch guidance:
Description:
CVE-2026-41091 is an elevation of privilege vulnerability affecting Microsoft Defender and the Microsoft Malware Protection Engine.
The vulnerability is caused by improper link resolution before file access, also known as link following, allowing local attackers to exploit file handling behavior to gain elevated privileges.
Successful exploitation may allow attackers to elevate privileges to higher integrity levels and potentially execute actions with elevated permissions on affected systems.
Mitigation Recommendation:
Immediately update Microsoft Malware Protection Engine deployments to version 1.1.26040.8 or later.
Verify endpoint protection platforms, Defender components, and managed systems have successfully received updated engine packages.
Prioritize remediation for systems exposed to untrusted local execution paths, shared environments, developer workstations, and multi-user systems.
Monitor systems for suspicious privilege escalation behavior, unexpected Defender process activity, abnormal symbolic link usage, or anomalous file operations.
Conduct threat hunting and forensic review for evidence of local privilege escalation activity on systems that remained unpatched.
Microsoft Defender Denial of Service Vulnerability
CVSS Score: 4.7 (Medium, CVSS v3.1)
Identifier: CVE-2026-45498
PoC or Exploitation:
CISA has added CVE-2026-45498 to the Known Exploited Vulnerabilities (KEV) catalog.
Microsoft has released updates addressing this vulnerability.
Affected versions include:
Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier
Fixed versions include:
Description:
CVE-2026-45498 is a denial of service vulnerability affecting Microsoft Defender and the Microsoft Defender Antimalware Platform.
Successful exploitation may allow an attacker to trigger a denial of service condition affecting Microsoft Defender functionality on vulnerable systems.
Mitigation Recommendation:
Immediately update Microsoft Defender Antimalware Platform deployments to version 4.18.26040.7 or later.
Verify endpoint systems have successfully received updated antimalware platform packages and validate update deployment status through centralized management tooling.
Prioritize remediation for internet-connected endpoints, privileged workstations, shared systems, virtual desktop infrastructure, and environments with extensive local user access.
Monitor Defender operational status, endpoint telemetry, security logs, and system events for abnormal service interruptions or unexpected Defender behavior.
Conduct threat hunting and forensic review on systems that remained unpatched during the active exploitation window.