What’s Happening: Two Actively Exploited Windows Defender Vulnerabilities
Microsoft has confirmed active attacks targeting two Windows Defender vulnerabilities that can seriously impact endpoint security. The first, CVE-2026-41091, is a privilege escalation bug rated 7.8 on the CVSS scale. It arises from improper link resolution in Microsoft Defender, allowing an authorized attacker to gain SYSTEM-level privileges if successfully exploited. The second, CVE-2026-45498, carries a 4.0 CVSS score and enables denial-of-service (DoS) attacks against Defender, potentially disrupting protection on affected systems. Both flaws are already being exploited in the wild, which significantly raises their priority compared with purely theoretical issues. They have been added to the Known Exploited Vulnerabilities catalog, underscoring that attackers are weaponizing them in real-world campaigns. Organizations and individual users running Defender should treat these Windows Defender vulnerabilities as urgent and ensure that their security update for June is applied immediately.
Why CVE-2026-41091 and CVE-2026-45498 Are So Dangerous
CVE-2026-41091 is particularly critical because it can convert a low-level foothold into complete control. By abusing how Defender follows links before file access, an attacker with some local privileges could elevate to SYSTEM—the highest level of access on Windows. Once at SYSTEM, an adversary can disable security tools, deploy ransomware, or move laterally across the network with few restrictions. CVE-2026-45498, while rated lower, is still significant for defenders. As a denial-of-service flaw in Defender, it could enable attackers to crash or impair the antivirus engine, creating a blind spot precisely where you expect protection. Together, these actively exploited flaws undermine both the integrity and availability of a core endpoint protection tool. Their presence in the Known Exploited Vulnerabilities catalog should be taken as a clear signal that delaying updates materially increases the risk of compromise.
The Security Update: June Patches and Fixed Defender Versions
Microsoft has released fixes as part of a security update in June that directly address both issues in the Microsoft Defender Antimalware Platform. According to the advisory, CVE-2026-41091 is remediated in platform version 1.1.26040.8, while CVE-2026-45498 is fixed in version 4.18.26040.7. Systems running these or later versions are protected against the known exploitation paths. By design, Microsoft Defender updates its malware definitions and Malware Protection Engine automatically, so most users will receive the CVE-2026-41091 patch and the DoS mitigation without manual intervention. Importantly, machines where Defender has been disabled are not susceptible to these specific vulnerabilities. However, because the flaws are already being abused, security teams should not rely solely on default behavior. Instead, they should verify that endpoints have actually consumed the June security update and are running a protected Defender build.
Immediate Steps: How to Confirm Your Defender Is Patched
To reduce risk from these Windows Defender vulnerabilities, you should confirm that Defender is fully up to date. Start by opening the Windows Security application on your system. In the navigation pane, select "Virus & threat protection," then locate the "Protection updates" section and click "Check for updates" to force retrieval of the latest engine and definition packages. After the update process completes, go back to the navigation pane, choose "Settings," and then select "About." In this view, examine the Antimalware Client Version value and confirm it is at least 1.1.26040.8 or 4.18.26040.7, which contain the fixes for CVE-2026-41091 and CVE-2026-45498. Security teams should script or centrally report on these version numbers across fleets where possible. If any endpoint is not at a protected version, investigate why updates are failing and remediate immediately.
What This Means for Your Patch Strategy Going Forward
The active exploitation of CVE-2026-41091 and CVE-2026-45498 highlights a broader lesson: endpoint protection tools themselves are high-value targets. When attackers can gain SYSTEM access or disable antivirus via such flaws, every delay in applying patches increases exposure. The rapid addition of these bugs to the Known Exploited Vulnerabilities catalog, alongside other Microsoft issues, shows that threat actors are closely tracking and weaponizing new weaknesses. Organizations should treat security updates for Defender and similar tools as priority-one changes, not routine maintenance. That means enabling automatic updates, monitoring for failed installations, and verifying engine and platform versions after each security update in June and beyond. Incorporate actively exploited flaws into your risk scoring, and ensure your vulnerability management program distinguishes between theoretical vulnerabilities and those already being used in real intrusions. Timely patching of security tooling is now as critical as patching the operating system itself.