Microsoft Defender Zero‑Days Patched May 20: CVE‑2026‑41091 and CVE‑2026‑45498 Explained

Microsoft issued an out‑of‑band security update on May 20, 2026 to address two Microsoft Defender vulnerabilities already being exploited in real‑world attacks. The flaws—CVE‑2026‑41091 and CVE‑2026‑45498—affect the Defender antimalware ecosystem used across modern Windows systems and were quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling active threat activity and urgent patching requirements.

While the vulnerabilities differ technically—one enables privilege escalation and the other can disrupt Defender protections—both affect security controls that many organizations rely on as their first line of defense.

The Two Defender Zero‑Days Patched May 20

CVE‑2026‑41091 — Local Privilege Escalation in Microsoft Defender

CVE‑2026‑41091 is a link‑following vulnerability in Microsoft Defender caused by improper resolution of file links before accessing them. In practical terms, Defender may follow a symbolic link or similar filesystem redirection controlled by a user, performing an operation on a different file than intended.

Because Defender processes certain files with elevated privileges, a malicious local user could exploit this behavior to influence those operations and elevate privileges to SYSTEM level, gaining full control of the machine.

Key characteristics:

• Vulnerability type: improper link resolution (“link following”)
• Impact: local privilege escalation to SYSTEM
• CVSS v3.1 severity: 7.8 (High)
• Exploitation requires a local authenticated attacker rather than remote access.

Attacks involving link‑following vulnerabilities typically involve:

• Creating a malicious symbolic link, junction, or reparse point
• Triggering Defender to access or modify the linked file
• Redirecting the operation to a protected system location

Although public advisories do not disclose full exploit details, this class of vulnerability is well understood and frequently used in privilege‑escalation chains.

CVE‑2026‑45498 — Microsoft Defender Denial‑of‑Service Vulnerability

The second flaw, CVE‑2026‑45498, allows attackers to trigger a denial of service condition in Microsoft Defender. Public technical documentation currently describes it only as an unspecified vulnerability that can cause service disruption.

A successful exploit could potentially:

• crash Defender components
• interrupt malware scanning
• temporarily disable protection workflows

Because Defender provides real‑time endpoint protection, disrupting it could create a window where malware or post‑exploitation activity proceeds without detection.

The exact exploitation method has not been publicly detailed at the time of disclosure.

Evidence of Active Exploitation

Microsoft confirmed that both vulnerabilities were already being exploited in the wild, which prompted the urgent out‑of‑band update. Security reporting and advisories note that attackers were actively targeting these flaws before patches were widely deployed.

Several indicators support this assessment:

• Both CVEs were added to CISA’s Known Exploited Vulnerabilities catalog, a designation used only when exploitation evidence exists.
• Security reporting states Microsoft acknowledged active exploitation of the privilege‑escalation and DoS flaws affecting Defender.
• Vulnerability trackers list the issues as actively exploited high‑severity vulnerabilities.

However, publicly available sources do not yet provide detailed exploit samples, indicators of compromise, or confirmed victim telemetry.

Affected Systems and Defender Components

The vulnerabilities affect Microsoft Defender components, meaning the risk is tied primarily to Defender platform and engine versions rather than the underlying Windows build.

Affected environments include:

• Windows 11 systems running Defender
• Windows Server deployments using Defender
• Enterprise endpoints protected by the Microsoft Malware Protection Engine

Advisories indicate that vulnerable Defender engine versions include builds prior to 1.1.26040.8, while affected Defender platform versions include builds prior to 4.18.26040.7.

Because Defender’s malware engine and platform components update independently from Windows OS patches, administrators should verify the installed Defender version instead of assuming that updating Windows alone resolves the issue.

Possible Connection to the “Nightmare‑Eclipse” Activity

Security researchers have also discussed a broader wave of Microsoft‑focused exploit releases associated with an actor known as Nightmare‑Eclipse (also called Chaotic Eclipse). This actor has published several Windows and Defender exploits during 2026 following a dispute with Microsoft over vulnerability disclosure.

Researchers describe the activity as a sequence of zero‑day releases targeting Microsoft security tooling and operating system components.

However, available evidence does not definitively link CVE‑2026‑41091 or CVE‑2026‑45498 to that campaign. Current reporting only suggests they occur within a broader pattern of Defender‑related vulnerabilities and exploitation activity.

Recommended Mitigation and Defensive Actions

Organizations running Windows systems with Microsoft Defender should treat these vulnerabilities as high‑priority patch items.

Recommended steps include:

• Install the latest Microsoft Defender platform and engine updates released with the May 20 out‑of‑band update.
• Verify Defender component versions across endpoints rather than relying only on Windows OS patch levels.
• Prioritize patching on multi‑user systems, servers, VDI environments, and developer workstations, where privilege escalation risk is highest.
• Monitor systems for abnormal Defender behavior, including crashes or unexpected service restarts.
• Watch for suspicious filesystem artifacts such as unexpected symbolic links or reparse points in user‑writable directories.

If immediate patching is not possible, organizations should reduce risk by restricting local interactive access, minimizing administrative privileges, and closely monitoring endpoint protection status.

Why These Defender Vulnerabilities Matter

Security flaws in endpoint protection platforms can be especially dangerous. Defender runs with elevated privileges and is deeply integrated into Windows, so weaknesses in its file‑handling or service components can provide attackers with powerful footholds.

The May 20 update highlights a recurring security lesson: even defensive tools can become attack surfaces, especially when they interact with untrusted files or operate with high privileges.

For enterprises and administrators, the priority is clear—ensure Defender platform and engine updates are deployed quickly across all endpoints to close the window for exploitation.