What’s Happening: Defender Vulnerabilities Under Active Exploit
Microsoft has confirmed that two Defender vulnerabilities are under active exploit, putting many Windows systems at heightened risk. The first, CVE-2026-41091, is a privilege escalation flaw rated 7.8 on the CVSS scale. It stems from improper link resolution (“link following”) in Microsoft Defender and can allow an authorized attacker to elevate privileges locally to SYSTEM level, effectively giving them full control of the affected machine. The second, CVE-2026-45498, carries a CVSS score of 4.0 and enables denial-of-service attacks against Defender, potentially disrupting protection and system stability. Both issues are categorized as Defender vulnerabilities because they directly impact the Microsoft Malware Protection Platform. Security agencies have already flagged these as active exploits, underscoring the urgency for organizations and individual users to respond quickly and reduce their exposure.
Understanding CVE-2026-41091: From User to SYSTEM in One Leap
CVE-2026-41091 is the more severe of the two actively exploited Defender vulnerabilities. It involves improper handling of links before file access in Microsoft Defender, which can be abused by an attacker who already has some level of local authorization. By exploiting this flaw, the attacker can escalate privileges from an ordinary user context to SYSTEM, the highest level of access on Windows. With SYSTEM privileges, an attacker can install malicious software, alter or delete data, create backdoor accounts, and disable security controls, effectively taking over the device. Although it does not provide initial access on its own, it is a powerful tool when combined with phishing, malware, or other intrusion techniques. Because it enables such deep compromise, applying the relevant Windows security patches for this CVE should be a top priority for enterprise defenders and home users alike.
Understanding CVE-2026-45498: Denial-of-Service Against Your Protection Layer
CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender with a CVSS score of 4.0. While less critical than a full privilege escalation, it still has significant security implications. By triggering this bug, an attacker may be able to crash or impair Microsoft Defender, degrading or temporarily disabling the system’s primary antimalware defense. Even a short disruption can create an opportunity window in which other malware or tools can be executed with reduced chance of detection. This is particularly concerning in environments that rely heavily on Defender as a core protection layer. The flaw has been confirmed as under active exploit, meaning attackers are already attempting to leverage it in real-world scenarios. Keeping Defender fully functional and resilient against such denial-of-service attacks requires that all affected systems receive the latest Windows security patches released to address this issue.
Patches and Versions: How Microsoft Has Responded
Microsoft has released fixes for both CVE-2026-41091 and CVE-2026-45498 through updates to the Microsoft Defender Antimalware Platform. According to Microsoft’s advisory, the privilege escalation vulnerability is addressed in platform version 1.1.26040.8, while the denial-of-service flaw is resolved in version 4.18.26040.7. Defender typically updates itself automatically, pulling in the latest malware definitions and malware protection engine updates without requiring manual action. Systems where Microsoft Defender is fully disabled are not impacted by these specific vulnerabilities, though they may lack adequate protection overall. Security authorities have added both CVEs to their Known Exploited Vulnerabilities catalog and mandated that certain agencies apply the fixes by June 3, 2026, highlighting the urgency. For most organizations and individuals, verifying that Defender is running one of these fixed versions is the clearest way to ensure protection against the active exploits.
What You Should Do Now: Practical Steps for Users and Enterprises
To reduce risk from these active exploits, users and administrators should immediately confirm that Microsoft Defender is fully updated. On Windows, open the Windows Security app, select Virus & threat protection, then choose Protection updates and click Check for updates to fetch the latest engine and definitions. Next, go to Settings within Windows Security, select About, and verify that the Antimalware ClientVersion corresponds to a platform release that includes versions 1.1.26040.8 or 4.18.26040.7 or later. Enterprises should integrate these checks into endpoint management and compliance reporting, ensuring all devices receive the required Windows security patches promptly. Even though Defender is designed to update automatically, network restrictions or misconfigurations can block updates, so manual validation is essential. These incidents are a reminder that security tools themselves need regular patching and monitoring, just like operating systems and applications.