What Happened: Two Microsoft Defender Vulnerabilities Under Active Attack
Microsoft has confirmed active exploitation of two serious Microsoft Defender vulnerabilities that impact a core security component on millions of Windows systems. The first, a privilege escalation flaw tracked as CVE-2026-41091, carries a CVSS score of 7.8 and stems from improper link resolution before file access in Microsoft Defender. If successfully exploited, it allows an authorized attacker to elevate their access to SYSTEM privileges, effectively giving them full control over the affected device. The second issue, CVE-2026-45498, is a denial-of-service bug with a CVSS score of 4.0 that can be used to disrupt Defender’s normal operation. Both have been added to the Known Exploited Vulnerabilities catalog, underscoring that attackers are already abusing them in real-world scenarios and that administrators must respond without delay.
Why CVE-2026-41091 and CVE-2026-45498 Matter for System Security
These Microsoft Defender vulnerabilities are especially dangerous because they target the built-in antimalware platform many organizations rely on as a first line of defense. CVE-2026-41091 is a local privilege escalation issue caused by “link following” behavior, where Defender improperly resolves links before file access. Once a foothold is gained on a system, an attacker can leverage this weakness to obtain SYSTEM-level privileges, bypassing normal security boundaries and potentially disabling protections, installing persistent malware, or accessing sensitive data. CVE-2026-45498, while rated lower in severity, enables denial-of-service conditions in Defender itself. By disrupting Defender, attackers may create a window where malicious activity goes undetected. Even though the second flaw does not directly grant code execution, the combination of an elevated attacker and a weakened security engine poses a significant risk in active attack chains.
The June 3 Microsoft Defender Patches: Versions You Need to Run
To counter the CVE-2026-41091 exploit and the CVE-2026-45498 vulnerability, Microsoft has released fixes through updates to the Microsoft Malware Protection Platform. According to Microsoft’s advisory, the privilege escalation issue and the denial-of-service bug have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively. These updates are distributed via the normal Defender update channels and are designed to install automatically alongside malware definition and engine updates, meaning most users will receive protection without manual intervention. Systems where Microsoft Defender has been disabled are not affected by these specific flaws, but for all other environments, verifying that these platform versions (or later) are present is essential. Federal agencies have been directed to apply the fixes by June 3, highlighting the urgency of treating this Windows security update as a high-priority maintenance task.
How to Check and Apply the Microsoft Defender Vulnerability Fixes
Although Microsoft Defender usually updates itself, every administrator and user should confirm that the latest protections against the Microsoft Defender vulnerabilities are in place. Open the Windows Security application, then select “Virus & threat protection” in the navigation pane. Under the Virus & threat protection section, choose “Protection updates” and click “Check for updates” to force a manual download of the newest engine and definition files. Next, go back to the navigation pane, select “Settings,” and then open the “About” section. There you can review the Antimalware ClientVersion to ensure it matches or exceeds the patched Microsoft Defender Antimalware Platform versions associated with the CVE-2026-41091 patch and mitigation for the CVE-2026-45498 exploit. Regularly repeating this check helps verify that automatic update mechanisms remain healthy and that Defender is not silently falling behind.
Immediate Next Steps for Organizations and Home Users
Given that both vulnerabilities are being exploited in the wild, this Windows security update must be treated as an immediate priority. Organizations should verify Defender platform versions across all endpoints, ensure update policies are not delaying security engine updates, and document compliance as part of their vulnerability management program. Because CVE-2026-41091 can lead to SYSTEM-level compromise, incident response teams should also review logs and security alerts for suspicious local privilege escalation activity around the time updates are rolled out. Home users should simply confirm that Defender updates are enabled and up to date using the steps outlined above. While there are no public technical details yet on how attackers are chaining these flaws, maintaining a fully patched Defender engine significantly reduces the risk of successful compromise from the CVE-2026-41091 patch gap or any ongoing CVE-2026-45498 exploit attempts.