Microsoft Defender Zero‑Days Patched May 20: CVE‑2026‑41091 and CVE‑2026‑45498 Explained
Microsoft released an out‑of‑band Defender update on May 20, 2026 to fix two zero‑day vulnerabilities—CVE‑2026‑41091 (privilege escalation via link‑following) and CVE‑2026‑45498 (denial of service)—both confirmed as a... The most dangerous flaw, CVE‑2026‑41091, can let a local attacker escalate to SYSTEM privileges...
What are the newly disclosed Microsoft Defender zero‑day vulnerabilities patched in the May 20 out‑of‑band update (including CVE‑2026‑41091Microsoft patched two actively exploited Defender vulnerabilities in an out‑of‑band update on May 20, 2026.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What are the newly disclosed Microsoft Defender zero‑day vulnerabilities patched in the May 20 out‑of‑band update (including CVE‑2026‑41091. Article summary: Microsoft’s May 20, 2026 out-of-band Defender update addressed two newly disclosed, actively exploited Defender flaws: CVE-2026-41091, a local privilege-escalation link-following bug, and CVE-2026-45498, a Defender denia. Topic tags: general, government, general web, user generated, education. Reference image context from search candidates: Reference image 1: visual subject ""The May 2026 Patch Tuesday Release breaks a long-standing streak as the first release in nearly two years not to include a zero-day," said Satnam Narang, senior staff research eng" source context "No Zero-Days, but Plenty to Patch in Microsoft May Update" Reference image 2: visual subject "
openai.com
Microsoft issued an out‑of‑band security update on May 20, 2026 to address two Microsoft Defender vulnerabilities already being exploited in real‑world attacks. The flaws—CVE‑2026‑41091 and CVE‑2026‑45498—affect the Defender antimalware ecosystem used across modern Windows systems and were quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling active threat activity and urgent patching requirements.
While the vulnerabilities differ technically—one enables privilege escalation and the other can disrupt Defender protections—both affect security controls that many organizations rely on as their first line of defense.
The Two Defender Zero‑Days Patched May 20
CVE‑2026‑41091 — Local Privilege Escalation in Microsoft Defender
CVE‑2026‑41091 is a link‑following vulnerability in Microsoft Defender caused by improper resolution of file links before accessing them. In practical terms, Defender may follow a symbolic link or similar filesystem redirection controlled by a user, performing an operation on a different file than intended.
Because Defender processes certain files with elevated privileges, a malicious local user could exploit this behavior to influence those operations and elevate privileges to SYSTEM level, gaining full control of the machine.
Key characteristics:
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "Microsoft Defender Zero‑Days Patched May 20: CVE‑2026‑41091 and CVE‑2026‑45498 Explained"?
Microsoft released an out‑of‑band Defender update on May 20, 2026 to fix two zero‑day vulnerabilities—CVE‑2026‑41091 (privilege escalation via link‑following) and CVE‑2026‑45498 (denial of service)—both confirmed as a...
What are the key points to validate first?
Microsoft released an out‑of‑band Defender update on May 20, 2026 to fix two zero‑day vulnerabilities—CVE‑2026‑41091 (privilege escalation via link‑following) and CVE‑2026‑45498 (denial of service)—both confirmed as a... The most dangerous flaw, CVE‑2026‑41091, can let a local attacker escalate to SYSTEM privileges by abusing how Microsoft Defender resolves file links during privileged operations.
What should I do next in practice?
Organizations should immediately update the Defender platform and Malware Protection Engine and verify versions, because Defender components update independently of Windows OS builds.
Vulnerability type: improper link resolution (“link following”)
Impact: local privilege escalation to SYSTEM
CVSS v3.1 severity: 7.8 (High)
Exploitation requires a local authenticated attacker rather than remote access.
Attacks involving link‑following vulnerabilities typically involve:
Creating a malicious symbolic link, junction, or reparse point
Triggering Defender to access or modify the linked file
Redirecting the operation to a protected system location
Although public advisories do not disclose full exploit details, this class of vulnerability is well understood and frequently used in privilege‑escalation chains.
CVE‑2026‑45498 — Microsoft Defender Denial‑of‑Service Vulnerability
The second flaw, CVE‑2026‑45498, allows attackers to trigger a denial of service condition in Microsoft Defender. Public technical documentation currently describes it only as an unspecified vulnerability that can cause service disruption.
A successful exploit could potentially:
crash Defender components
interrupt malware scanning
temporarily disable protection workflows
Because Defender provides real‑time endpoint protection, disrupting it could create a window where malware or post‑exploitation activity proceeds without detection.
The exact exploitation method has not been publicly detailed at the time of disclosure.
Evidence of Active Exploitation
Microsoft confirmed that both vulnerabilities were already being exploited in the wild, which prompted the urgent out‑of‑band update. Security reporting and advisories note that attackers were actively targeting these flaws before patches were widely deployed.
Several indicators support this assessment:
Both CVEs were added to CISA’s Known Exploited Vulnerabilities catalog, a designation used only when exploitation evidence exists.
Security reporting states Microsoft acknowledged active exploitation of the privilege‑escalation and DoS flaws affecting Defender.
Vulnerability trackers list the issues as actively exploited high‑severity vulnerabilities.
However, publicly available sources do not yet provide detailed exploit samples, indicators of compromise, or confirmed victim telemetry.
Affected Systems and Defender Components
The vulnerabilities affect Microsoft Defender components, meaning the risk is tied primarily to Defender platform and engine versions rather than the underlying Windows build.
Affected environments include:
Windows 11 systems running Defender
Windows Server deployments using Defender
Enterprise endpoints protected by the Microsoft Malware Protection Engine
Advisories indicate that vulnerable Defender engine versions include builds prior to 1.1.26040.8, while affected Defender platform versions include builds prior to 4.18.26040.7.
Because Defender’s malware engine and platform components update independently from Windows OS patches, administrators should verify the installed Defender version instead of assuming that updating Windows alone resolves the issue.
Possible Connection to the “Nightmare‑Eclipse” Activity
Security researchers have also discussed a broader wave of Microsoft‑focused exploit releases associated with an actor known as Nightmare‑Eclipse (also called Chaotic Eclipse). This actor has published several Windows and Defender exploits during 2026 following a dispute with Microsoft over vulnerability disclosure.
Researchers describe the activity as a sequence of zero‑day releases targeting Microsoft security tooling and operating system components.
However, available evidence does not definitively link CVE‑2026‑41091 or CVE‑2026‑45498 to that campaign. Current reporting only suggests they occur within a broader pattern of Defender‑related vulnerabilities and exploitation activity.
Recommended Mitigation and Defensive Actions
Organizations running Windows systems with Microsoft Defender should treat these vulnerabilities as high‑priority patch items.
Recommended steps include:
Install the latest Microsoft Defender platform and engine updates released with the May 20 out‑of‑band update.
Verify Defender component versions across endpoints rather than relying only on Windows OS patch levels.
Prioritize patching on multi‑user systems, servers, VDI environments, and developer workstations, where privilege escalation risk is highest.
Monitor systems for abnormal Defender behavior, including crashes or unexpected service restarts.
Watch for suspicious filesystem artifacts such as unexpected symbolic links or reparse points in user‑writable directories.
If immediate patching is not possible, organizations should reduce risk by restricting local interactive access, minimizing administrative privileges, and closely monitoring endpoint protection status.
Why These Defender Vulnerabilities Matter
Security flaws in endpoint protection platforms can be especially dangerous. Defender runs with elevated privileges and is deeply integrated into Windows, so weaknesses in its file‑handling or service components can provide attackers with powerful footholds.
The May 20 update highlights a recurring security lesson: even defensive tools can become attack surfaces, especially when they interact with untrusted files or operate with high privileges.
For enterprises and administrators, the priority is clear—ensure Defender platform and engine updates are deployed quickly across all endpoints to close the window for exploitation.
blog.barracuda.comNightmare-Eclipse: six zero-days, six weeks and one big grudge
Comments
0 comments