What’s Happening: Defender Is Now a High-Value Target
Microsoft has confirmed that attackers are actively exploiting two separate Microsoft Defender vulnerabilities, turning a core security tool into a potential attack path. The first, CVE-2026-41091, is a privilege escalation flaw rated 7.8 on the CVSS scale. The second, CVE-2026-45498, is a denial-of-service vulnerability with a CVSS score of 4.0. Both affect the Microsoft Defender antimalware platform and have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, underscoring the urgency of patching. While details of real-world attack techniques have not yet been disclosed, the fact that exploitation is confirmed means this is no longer a theoretical risk. If Microsoft Defender is enabled on your system, you should assume you are potentially exposed until the latest security updates are installed and verified.
Inside CVE-2026-41091: SYSTEM Privilege Escalation via Link Following
CVE-2026-41091 is the more severe of the two issues, and it directly impacts system privilege escalation risk. Microsoft describes it as an “improper link resolution before file access” problem in Microsoft Defender, often referred to as a link-following issue. In practice, this means an authorized attacker who already has some level of access to the machine could abuse Defender’s handling of links to elevate their privileges locally. Successful exploitation would grant SYSTEM-level rights, effectively giving the attacker full control of the device: installing malware, disabling protections, exfiltrating data, and moving laterally across networks. Because this vulnerability is already under active exploitation, defenders should treat it as a high-priority incident. Relying solely on traditional perimeter defenses is not enough; patching the Defender platform itself is essential to closing this powerful escalation pathway.
CVE-2026-45498: Denial-of-Service That Can Knock Out Your Protection
The second actively exploited Microsoft Defender vulnerability, CVE-2026-45498, has a lower CVSS score of 4.0 but still carries serious operational implications. It is a denial-of-service (DoS) flaw affecting Defender, meaning an attacker could potentially disrupt or disable Defender’s ability to run properly. While this issue does not directly grant system privilege escalation, it can be used strategically as part of a broader attack chain. For example, an adversary might first use this DoS condition to blind or weaken Defender, then deploy other malware without being detected. Any interruption in your security stack increases the window of opportunity for attackers. Organizations that rely heavily on Defender for endpoint protection should treat this vulnerability as a significant resilience risk and confirm that the patched platform version is already in place and functioning correctly.
The June 3 Deadline: Versions You Need and Why It Matters
Microsoft has addressed these two Microsoft Defender vulnerabilities in updated antimalware platform builds. CVE-2026-41091 is fixed in Microsoft Defender Antimalware Platform version 1.1.26040.8, while CVE-2026-45498 is resolved in version 4.18.26040.7. These updates are delivered through the normal Microsoft Defender update channels and are designed to install automatically alongside malware definition and engine updates. The vulnerabilities’ addition to the Known Exploited Vulnerabilities catalog comes with a clear directive: federal civilian executive branch agencies are required to apply the fixes by June 3, 2026. Even if you are outside that sector, this deadline is a strong signal of urgency. Note that systems with Microsoft Defender disabled are not susceptible to these specific flaws, but for all other environments, confirming that the correct platform versions are present should be treated as an immediate security task.
Immediate Actions: How to Check and Update Microsoft Defender Safely
To mitigate the active exploits security risk, users should manually verify that Microsoft Defender is fully up to date. Start by opening the Windows Security application and selecting Virus & threat protection from the navigation pane. In the Virus & threat protection section, click Protection updates, then choose Check for updates to force a fresh download of the latest engine and definitions. Next, go back to the navigation pane, select Settings, then About, and review the Antimalware ClientVersion displayed there. Confirm that it matches or exceeds the platform versions that contain fixes for CVE-2026-41091 and CVE-2026-45498. If your environment uses centralized management, ensure policies do not delay Defender engine updates. Finally, incorporate this incident into your patch management routine so Microsoft Defender vulnerability fixes are prioritized alongside operating system and application updates.