Microsoft has confirmed active exploitation of two vulnerabilities in Microsoft Defender: CVE-2026-41091 (privilege escalation to SYSTEM, CVSS 7.8) and CVE-2026-45498 (denial of service, CVSS 4.0). The CISA agency has added both vulnerabilities to the Known Exploited Vulnerabilities catalog and ordered U.S. federal civilian agencies to remediate them by June 3, 2026. Fixes are already available through Defender’s automatic update mechanism; however, administrators are advised to manually verify the installed platform version.

Technical analysis of the vulnerabilities

CVE-2026-41091 — privilege escalation via symbolic links

The more dangerous of the two vulnerabilities belongs to the class of improper link resolution before file access, also known as “link following.” The essence of the issue is that Microsoft Defender, when handling file operations, processes symbolic links incorrectly, which allows an authenticated local attacker to redirect antivirus engine operations to arbitrary files or directories with SYSTEM privileges.

The CVSS score of 7.8 reflects its high severity: although the attack requires local access and prior authentication, successful exploitation results in full control of the system. “Link following” vulnerabilities in privileged services are a well-studied attack vector that is regularly used to bypass security mechanisms and maintain persistence on compromised systems.

CVE-2026-45498 — denial of service

The second vulnerability makes it possible to trigger denial of service in Microsoft Defender components. With a CVSS score of 4.0, it is formally classified as a medium-severity vulnerability, but its practical significance is considerably higher in the context of attack chains: disabling antivirus protection via denial of service can be a preparatory step before deploying malware or exploiting other vulnerabilities.

The confirmed fact that both vulnerabilities are being actively exploited at the same time indirectly points to their possible use in combination: first neutralizing Defender via CVE-2026-45498, then escalating privileges via CVE-2026-41091.

Affected versions and patches

According to Microsoft, the vulnerabilities are remediated in the following versions of the Microsoft Defender Antimalware Platform:

• Version 1.1.26040.8 — fix for CVE-2026-41091
• Version 4.18.26040.7 — fix for CVE-2026-45498

Microsoft states that updates are distributed automatically via the malware definitions update mechanism and the Microsoft Malware Protection Engine. Systems on which Microsoft Defender is disabled are not exposed to these vulnerabilities.

Discovery of the vulnerabilities is credited to five independent researchers: Sibusiso, Diffract, Andrew C. Dorman (ACD421), Damir Moldovanov, and an anonymous researcher. The fact that multiple parties independently identified the issue may indicate that the vulnerability was fairly obvious to experienced researchers and therefore was likely also known to attackers before disclosure.

Impact assessment

Microsoft Defender is the default antivirus solution on all Windows 10 and Windows 11 systems, which makes the potential attack surface exceptionally broad. The CVE-2026-41091 vulnerability poses a particular threat to corporate environments: obtaining SYSTEM privileges on a domain workstation opens the way to lateral movement, credential extraction, and compromise of domain controllers.

Neither Microsoft nor CISA has disclosed specific details of exploitation in real-world attacks so far. The lack of public indicators of compromise complicates retrospective analysis; however, the mere fact of inclusion in the KEV catalog confirms that there is credible evidence of exploitation.

It is worth noting that this is already the third Microsoft vulnerability to receive “actively exploited” status in the past week—earlier, exploitation of an XSS vulnerability in on-premises Exchange Server was reported.

CISA KEV catalog update context

In addition to the two Defender vulnerabilities, CISA simultaneously added to the KEV catalog four historical Microsoft vulnerabilities from 2008–2010 and one Adobe vulnerability:

• CVE-2010-0806 — use-after-free in Internet Explorer, remote code execution
• CVE-2010-0249 — use-after-free in Internet Explorer, remote code execution
• CVE-2009-1537 — NULL-byte overwrite in DirectX/DirectShow (quartz.dll), code execution via a QuickTime file
• CVE-2008-4250 — buffer overflow in Windows Server Service, code execution via an RPC request
• CVE-2009-3459 — heap overflow in Adobe Acrobat and Reader, code execution via a PDF

Adding 15-year-old vulnerabilities to the KEV catalog is an unusual step that typically indicates they have been observed in current attacks, including against legacy systems in critical infrastructure or industrial environments where software updates are difficult.

Practical recommendations

To check the current Microsoft Defender version and confirm that the fixes are installed:

1. Open the Windows Security app (Windows Security)
2. Go to Virus & threat protection (Virus & threat protection)
3. Click Protection Updates (Protection Updates)
4. Select Check for updates (Check for updates)
5. Go to Settings → About (Settings → About)
6. Make sure that the Antimalware Client Version is 1.1.26040.8, 4.18.26040.7, or higher

For corporate environments with centralized update management via WSUS, SCCM, or Intune, it is necessary to ensure that policies do not block automatic updating of Defender components. Organizations that use third-party antivirus solutions with Defender disabled are not affected by these vulnerabilities; however, it is recommended to verify the actual service state on all endpoints.

Given the confirmed active exploitation and the CISA deadline of June 3, 2026, remediation of CVE-2026-41091 should be treated as critical—immediate verification and updating of all systems with active Microsoft Defender, with special attention to servers and workstations that have access to sensitive data or privileged accounts.