Two Microsoft Defender Zero‑Days Added to CISA KEV: CVE‑2026‑41091 and CVE‑2026‑45498 Explained

How the vulnerability works

The Malware Protection Engine incorrectly resolves symbolic links before accessing files. An attacker with limited privileges on the system can exploit this behavior to manipulate file access operations performed by the Defender engine.

If exploited successfully, the flaw can allow the attacker to escalate privileges to SYSTEM level, giving full control over the affected machine.

Security advisories note that the vulnerable engine versions include:

• Microsoft Malware Protection Engine: versions 1.1.26030.3008 through 1.1.26040.7

Because the engine runs with elevated privileges during scanning, exploitation can lead to compromise of confidentiality, integrity, and availability of the system.

CVE‑2026‑45498: Microsoft Defender denial‑of‑service

The second vulnerability, CVE‑2026‑45498, affects Microsoft Defender and allows attackers to trigger a denial‑of‑service (DoS) condition.

Severity

• CVSS score: reported as 4.0 (Medium) in security reporting
• Attack type: Denial of service
• Exploitation: Actively exploited prior to patch release

What the flaw does

Public technical details remain limited. Available descriptions indicate that attackers can exploit the flaw to place Microsoft Defender into a non‑functional or disrupted state, preventing the security software from operating normally.

This type of attack can weaken endpoint protection, potentially allowing follow‑on malware or intrusion activity while defenses are degraded.

Affected Defender and engine versions

Advisories and security reports indicate the vulnerabilities affect systems running older Defender components, including:

• Microsoft Malware Protection Engine: versions prior to 1.1.26040.8
• Microsoft Defender platform: versions prior to 4.18.26040.7

Updating to the patched versions or later mitigates the vulnerabilities.

Microsoft patch rollout and update guidance

Microsoft released security updates for Defender components in May 2026 addressing the vulnerabilities. The fixes were distributed through Defender’s automatic security intelligence and platform update mechanisms, which normally update silently on supported systems.

Security agencies advised administrators to ensure Defender engines and platform components are fully updated to the latest versions to mitigate exploitation risk.

CISA KEV inclusion and federal remediation deadline

CISA formally added both vulnerabilities to the Known Exploited Vulnerabilities catalog on May 20, 2026 after confirming active exploitation.

Under Binding Operational Directive (BOD) 22‑01, U.S. federal civilian agencies were required to remediate the issues by:

• June 3, 2026

The directive instructs agencies to apply vendor fixes or mitigations, or discontinue use of vulnerable products if mitigations are unavailable.

Broader context: ongoing Defender vulnerability activity

The Defender vulnerabilities appeared amid a broader pattern of actively exploited flaws affecting Microsoft products in 2026. Security researchers and government agencies reported multiple exploitation campaigns targeting Windows and enterprise software during the same period.

CISA’s May 2026 KEV update added several vulnerabilities—including older Windows and Adobe issues—alongside the Defender flaws, highlighting how both legacy and newly discovered weaknesses continue to be leveraged in real‑world attacks.

Key takeaway for security teams

The Defender zero‑days underscore a recurring security risk: endpoint protection software itself can become a high‑value attack target. Because Defender components operate with elevated privileges and run continuously across enterprise endpoints, vulnerabilities in these components can have system‑wide impact.

Organizations should ensure that:

• Defender platform and engine updates are applied automatically
• Endpoint protection components remain fully patched
• KEV‑listed vulnerabilities are prioritized in patch management programs

Active exploitation prior to disclosure means that systems running outdated Defender components may have been exposed until the patched versions were deployed.