Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation

Summary

Microsoft and CISA reported active exploitation of two Microsoft Defender vulnerabilities in May 2026:

• CVE-2026-41091 — Microsoft Defender link-following / improper link resolution local privilege escalation, allowing an authorized local attacker to elevate privileges.
• CVE-2026-45498 — Microsoft Defender denial-of-service vulnerability.

CISA added both CVEs to the Known Exploited Vulnerabilities catalog on May 20, 2026. Microsoft fixed the issues in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7 respectively.

Tags

• ops
• operations
• vulnerability
• exploitation
• endpoint-security
• Microsoft Defender
• Windows
• CISA KEV
• CVE-2026-41091
• CVE-2026-45498

Why this matters

• Defender runs on many Windows endpoints and servers; an exploited local privilege-escalation path can turn a lower-privileged foothold into SYSTEM execution.
• Security-tool vulnerabilities are operationally sensitive because attackers can combine them with initial-access malware, EDR evasion, or privilege escalation after phishing and commodity malware delivery.
• Defender platform updates are normally automatic, but organizations that disabled Defender, pinned platform versions, block update channels, or run isolated networks should verify status explicitly.

Public reporting

• Microsoft describes CVE-2026-41091 as improper link resolution before file access in Defender that allows local elevation of privilege.
• Microsoft describes CVE-2026-45498 as an unspecified Defender denial-of-service issue.
• The Hacker News notes that public descriptions overlap with previously discussed Defender zero-days named RedSun and UnDefend by Chaotic Eclipse / Nightmare-Eclipse, and that Huntress observed exploitation alongside BlueHammer (CVE-2026-33825). Treat that mapping as third-party reporting rather than a Microsoft attribution statement.
• CISA requires U.S. FCEB agencies to remediate both KEV-listed CVEs by 2026-06-03.

Defender heuristics

• Verify Defender Antimalware Platform is at least 1.1.26040.8 / 4.18.26040.7 or later, depending on the product channel shown on the endpoint.
• Check Windows Security → Virus & threat protection → Protection updates, or enterprise management telemetry, to confirm platform and definition updates are being installed.
• Hunt around suspected exploitation windows for local privilege-escalation behavior, unexpected SYSTEM-level process creation, Defender service instability, disabled protection features, and crash or tamper events.
• Pay special attention to endpoints where Defender updates are delayed by network isolation, update-ring policy, VDI images, gold images, or third-party AV coexistence settings.
• If exploitation is suspected, collect endpoint telemetry before broad cleanup so privilege-escalation and tamper evidence is not lost.

Sources

• CISA KEV: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• Microsoft CVE-2026-41091: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
• Microsoft CVE-2026-45498: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
• The Hacker News: https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html