What’s Happening: Two Microsoft Defender Vulnerabilities Under Active Attack
Microsoft has confirmed two Microsoft Defender vulnerabilities are being actively exploited, putting unpatched systems at immediate risk. The bugs, tracked as CVE-2026-41091 and CVE-2026-45498, affect the Microsoft Defender Antimalware Platform and have already been weaponized by attackers. CVE-2026-41091 is a privilege escalation flaw rated 7.8 on the CVSS scale, while CVE-2026-45498 is a denial-of-service (DoS) issue rated 4.0. Both have now been fixed in newly released Defender platform updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these entries to its Known Exploited Vulnerabilities catalog, underlining the urgency of remediation and requiring certain agencies to patch by early June. For all organizations and home users, this is a clear signal that delaying updates significantly increases the likelihood of compromise, as attackers are already targeting these weaknesses in the wild.
Understanding CVE-2026-41091: SYSTEM-Level Privilege Escalation Risk
CVE-2026-41091 is the more severe of the two Microsoft Defender vulnerabilities because it enables local privilege escalation to SYSTEM, the highest privilege level in Windows. Microsoft describes the flaw as an “improper link resolution before file access” issue, also known as unsafe link following. An authorized attacker who already has some level of access to a machine—such as a low-privilege user or malware foothold—could exploit this weakness to elevate their rights. Once running with SYSTEM privileges, an attacker can disable security tools, install persistent malware, modify critical system settings, and move laterally across the network. This makes CVE-2026-41091 a potent post-compromise weapon, turning a limited breach into a full takeover. The vulnerability’s CVSS score of 7.8 reflects its high impact and the importance of applying the active exploit patch as quickly as possible.
CVE-2026-45498: Denial-of-Service Threat to Defender Protection
CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender, rated 4.0 on the CVSS scale, but it remains significant because it targets your primary line of defense. Exploiting this flaw allows an attacker to disrupt or disable Defender’s antimalware functionality, potentially leaving a system unprotected at critical moments. While it does not directly grant code execution or privilege escalation, successfully triggering a DoS against Defender can create a security blind spot, allowing other malware or attacks to proceed undetected. Microsoft has addressed this issue in Microsoft Defender Antimalware Platform version 4.18.26040.7. Notably, systems where Microsoft Defender has been manually disabled are not vulnerable to this specific flaw, though they are already at elevated risk due to lack of real-time protection. Ensuring Defender remains enabled and fully updated is essential to maintaining baseline security resilience.
How to Check and Update Your Microsoft Defender Immediately
Microsoft notes that Defender typically updates automatically, including both malware definitions and the Microsoft Malware Protection Engine. However, given that these Microsoft Defender vulnerabilities are under active exploitation, you should manually confirm that your system is fully updated. Open the Windows Security app, select “Virus & threat protection,” then choose “Protection updates” under the Virus & threat protection settings section. Click “Check for updates” to force a refresh of platform and definition updates. Next, in the navigation pane, open “Settings,” then “About,” and review the Antimalware Client Version. The privilege escalation and denial-of-service bugs are fixed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. If your version is older, remain connected to the internet, keep Windows Security open, and recheck until the latest security update critical components are installed.
Why You Must Act Now and Ongoing Security Best Practices
Active exploitation of CVE-2026-41091 and CVE-2026-45498 means attackers have already developed reliable techniques to abuse these Microsoft Defender vulnerabilities. This is not a theoretical risk: unpatched systems can be leveraged for SYSTEM-level compromise or have their protection disabled. The inclusion of these flaws in the Known Exploited Vulnerabilities catalog, alongside other long-standing Microsoft bugs and a previously weaponized Exchange Server issue, illustrates a broader trend of adversaries rapidly integrating newly disclosed weaknesses into their toolchains. To respond effectively, prioritize installing the active exploit patch, verify Defender is running with the latest platform and signatures, and avoid disabling built-in protections. Combine this with regular OS updates, least-privilege user accounts, and vigilant monitoring of security alerts to reduce exposure, especially in environments where Defender is a central component of the security stack.