What’s Happening: Defender Is Being Actively Targeted
Microsoft has confirmed that two Microsoft Defender vulnerabilities are under active exploitation, turning a core security tool into an attack vector. The first, CVE-2026-41091, is a privilege escalation flaw rated 7.8 on the CVSS scale. It stems from improper link resolution before file access, allowing an authorized attacker to elevate privileges locally and potentially gain SYSTEM-level access. The second, CVE-2026-45498, is a denial-of-service bug with a CVSS score of 4.0 that can be abused to disrupt Defender’s operation. Both issues affect the Microsoft Defender Antimalware Platform and have been serious enough for security authorities to add them to a catalog of known exploited vulnerabilities. With real-world attacks already underway, these are not theoretical weaknesses—unpatched Windows environments running Defender face an immediate and direct risk to their security posture.
Why These Actively Exploited Flaws Are So Dangerous
CVE-2026-41091 is especially critical because it enables a SYSTEM access exploit. Once an attacker achieves SYSTEM-level privileges, they effectively control the affected device, able to disable protections, install persistent malware, move laterally, or steal sensitive data with minimal resistance. Meanwhile, CVE-2026-45498 lets attackers trigger denial-of-service conditions against Microsoft Defender, potentially blinding one of the primary security layers Windows users depend on. This combination—privilege escalation plus the ability to knock out protection—creates an attractive toolkit for attackers already inside a network or on a shared system. Even though the denial-of-service bug carries a lower CVSS score, together these Microsoft Defender vulnerabilities significantly weaken overall defenses. Leaving them unpatched gives adversaries a reliable way to deepen their access and maintain stealth in environments that assume Defender is fully operational and trustworthy.
Microsoft’s Fixes and What They Mean for Windows Users
Microsoft has released Windows security patches for both issues through updates to the Microsoft Defender Antimalware Platform. CVE-2026-41091 and CVE-2026-45498 are addressed in platform versions 1.1.26040.8 and 4.18.26040.7, respectively, delivered via the regular Defender update mechanism. No manual download is normally required: Defender automatically updates its malware definitions and the Microsoft Malware Protection Engine. Systems where Microsoft Defender has been completely disabled are not vulnerable to these specific flaws, but that configuration is rare and carries its own risks. Security authorities have set an aggressive deadline for applying these fixes, underscoring the urgency. For most Windows users, the practical implication is simple but critical: verify that Defender has actually installed the latest engine update instead of assuming automatic updates silently succeeded.
How to Check and Update Microsoft Defender Right Now
Because these are actively exploited flaws, do not wait for routine maintenance windows to verify your protection. On a Windows machine, open the Windows Security app and select Virus & threat protection in the left navigation. In the Virus & threat protection updates section, click Protection updates, then choose Check for updates to force Defender to download the latest engine and definitions. After the update completes, go back to the navigation pane, select Settings, then About. There, confirm that the Antimalware Client Version matches or exceeds the fixed platform versions referenced in Microsoft’s advisory. If the version is older, keep checking until the update is successfully applied or escalate to your IT team. Treat this as a priority task: delaying patching leaves a clear path for attackers already exploiting CVE-2026-41091 and CVE-2026-45498 in the wild.
Immediate Security Priorities Beyond Patching
Patching Microsoft Defender is the first and most urgent step, but it should be part of a broader response. Assume that attackers may already be probing for these weaknesses in environments that have not yet applied Windows security patches. After confirming your Defender platform version, review recent security logs, including any suspicious privilege escalations, Defender service interruptions, or unexplained policy changes. Tighten local account permissions to reduce opportunities for authorized attackers to abuse CVE-2026-41091. Ensure that other critical Microsoft products and historically targeted components, such as browsers and document readers, are also fully patched to prevent attackers from chaining older vulnerabilities with these actively exploited flaws. Finally, communicate the risk clearly to all users and administrators so no one postpones updates under the false impression that Defender’s default configuration guarantees safety without verification.