Microsoft Defender CVE-2026-41091 (CVSS 7.8) Privilege Escalation

Microsoft has addressed CVE-2026-41091, a privilege escalation vulnerability impacting the Microsoft Malware Protection Engine, a core component of Microsoft Defender. This flaw, rated with a CVSS score of 7.8, allows an attacker to achieve SYSTEM privileges on an affected system. The vulnerability has been actively exploited in zero-day attacks prior to its public disclosure and patching.

Microsoft also patched CVE-2026-45498, a denial-of-service vulnerability in the Microsoft Defender Antimalware Platform. Both vulnerabilities were subject to in-the-wild exploitation and have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches within two weeks of their catalog addition.

The security updates for these vulnerabilities show the need for diligent patch management, even for automatically updating components, because these flaws have seen active exploitation. Microsoft's antimalware software updates automatically by default, but verifying the successful installation of these patches is a security practice to reduce risks from known exploitation. This analysis covers the details of these vulnerabilities, their potential impact, and the necessary remediation steps.

What is CVE-2026-41091 and Why is it Critical?

CVE-2026-41091 is a privilege escalation flaw within the Microsoft Malware Protection Engine. This component provides the scanning, detection, and cleaning capabilities for Microsoft's antivirus and antispyware software, including Microsoft Defender. The vulnerability stems from improper link resolution before file access, often called a "link following" weakness. This defect allows an authorized attacker to elevate their privileges locally, ultimately gaining SYSTEM privileges on the compromised machine.

The importance of CVE-2026-41091 is because of the access an attacker can gain and its active exploitation as a zero-day. SYSTEM privilege is the highest possible on a Windows operating system, granting complete control over the system. This allows an attacker to execute arbitrary code, install programs, view, change, or delete data, and create new accounts with full user rights. Such capabilities can lead to system compromise, data breaches, and help attackers move laterally within an enterprise network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the importance of this vulnerability by adding it to its Known Exploited Vulnerabilities (KEV) Catalog. CISA's inclusion shows that this type of flaw represents a frequent attack vector for malicious cyber actors, posing risks to federal and private sector enterprises. The agency's directive for federal agencies to remediate this vulnerability within a two-week deadline shows the urgency and potential impact of in-the-wild exploitation. The CVSS score of 7.8 for CVE-2026-41091 reflects its high severity, indicating that successful exploitation can lead to significant security breaches.

What is the Impact of CVE-2026-41091?

The main impact of CVE-2026-41091 is an authorized attacker's ability to achieve SYSTEM privileges on an affected Windows device. Gaining SYSTEM privileges means an attacker can bypass most security controls and execute any action on the operating system. This could include disabling security software, installing persistent backdoors, escalating privileges across other systems in a domain, or deploying ransomware and other destructive payloads. The compromised system becomes fully controlled by the attacker.

Systems running Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, which incorporate the vulnerable Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, are at risk. This broad scope means many Windows devices, both client and server, across various organizational sizes and sectors, could be susceptible. Local privilege escalation implies that an attacker typically needs some initial access to the system, but once achieved, this vulnerability provides a direct path to total control.

The fact that CVE-2026-41091 has been actively exploited as a zero-day indicates threat actors have developed and deployed working exploits in real-world attacks. This increases the risk from theoretical to immediate and tangible. Organizations failing to patch promptly are directly exposed to known attack methods already in use by malicious entities.

CVE-2026-45498, a denial-of-service (DoS) vulnerability with a lower CVSS score of 4.0, still represents an operational risk. Successful exploitation of this flaw can trigger DoS states on unpatched Windows devices, rendering systems unavailable and disrupting business operations. In a targeted attack scenario, a DoS could be used as a diversion or a component of a larger attack chain designed to disrupt defenses while other objectives are pursued. Both vulnerabilities, having been exploited in the wild, require urgent attention from security teams.

Exploitation Chain and Preconditions for CVE-2026-41091

Exploitation of CVE-2026-41091 uses an "improper link resolution before file access" weakness, often called a "link following" vulnerability. This means a program attempts to access a file based on a provided path, but an attacker can manipulate the file system or symbolic links to point to a different, unauthorized location. By doing so, the attacker can trick a privileged process (in this case, the Microsoft Malware Protection Engine) into performing actions on arbitrary files or directories with its elevated SYSTEM privileges.

For CVE-2026-41091, the attack vector is local, meaning an attacker typically requires prior access to the target system. This initial access could be gained through phishing, exploiting other remote vulnerabilities, compromising user credentials, or using other initial access methods. Once an attacker has a foothold on the system, even with limited user privileges, they can craft an exploit that manipulates file system links. This manipulation would direct the Microsoft Malware Protection Engine to an attacker-controlled file or resource when it performs its routine operations, such as scanning. The engine, operating with SYSTEM privileges, would then perform the requested action (e.g., writing data, executing code) on the attacker's chosen target, which then escalates the attacker's own privileges to SYSTEM.

Research confirms that both CVE-2026-41091 and CVE-2026-45498 have been actively exploited in the wild as zero-day vulnerabilities. This means that at the time of their discovery by Microsoft, no public patches were available. Details on the specific in-the-wild exploitation methods, attack campaigns, or threat actors involved have not been publicly disclosed in the provided research. The absence of a public Proof-of-Concept (PoC) further limits understanding of the exact technical steps attackers are taking. But the inclusion of these CVEs in CISA's Known Exploited Vulnerabilities (KEV) Catalog serves as official confirmation of their active weaponization.

The CISA directive requires Federal Civilian Executive Branch (FCEB) agencies to apply fixes by June 3, 2026. This mandate is driven by Binding Operational Directive (BOD) 22-01, which describes the risks posed by actively exploited vulnerabilities. While specific preconditions for exploitation beyond initial local access are not fully detailed in public advisories, the nature of a link following vulnerability often involves race conditions or carefully crafted file system states to succeed. Security researchers Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous researcher were credited with discovering and reporting these flaws to Microsoft, showing a collaborative effort to disclose these zero-days.

Affected Products and Versions

The vulnerabilities CVE-2026-41091 and CVE-2026-45498 affect components of the Microsoft Defender Antimalware Platform, a fundamental security offering across many Microsoft products. The specific affected versions are:

  • Microsoft Malware Protection Engine

    • Affected Version: 1.1.26030.3008 and earlier
    • Vulnerability: Privilege Escalation (CVE-2026-41091)
    • This engine provides scanning, detection, and cleaning capabilities for all Microsoft antivirus and antispyware software.
  • Microsoft Defender Antimalware Platform

    • Affected Version: 4.18.26030.3011 and earlier
    • Vulnerability: Denial-of-Service (CVE-2026-45498)
    • This platform is a collection of security tools. It includes Microsoft Defender (formerly Windows Defender), Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection, and Microsoft Security Essentials.

These components are found across various Windows operating system versions, making the scope of potential impact broad, covering both client workstations and server environments. Organizations using any of the mentioned Microsoft antimalware solutions should consider their systems potentially vulnerable if running the specified versions or earlier. Systems that have completely disabled Microsoft Defender are not susceptible to these particular vulnerabilities.

Detection

Detecting active exploitation of CVE-2026-41091 and CVE-2026-45498 directly, based on the provided research, is challenging because Microsoft has not released specific Indicators of Compromise (IOCs), log signatures, EDR queries, or attack patterns related to the in-the-wild exploits. The available information focuses on verifying that the system has received the patch.

But organizations can take proactive steps to confirm their systems' patch status:

  • Verify Antimalware Client Version:

    1. Open Windows Security (e.g., type "Security" in the Search bar and select the program).
    2. Navigate to Virus & threat protection.
    3. Click Protection Updates within the Virus & threat protection section.
    4. Select Check for updates. This initiates a check for the latest definitions and platform updates.
    5. In the navigation pane, select Settings, then select About.
    6. Examine the Antimalware ClientVersion number.

    If the Malware Protection Platform version number or the signature package version number matches or exceeds the patched version numbers (1.1.26040.8 for the Engine, 4.18.26040.7 for the Platform), the update has been successfully installed.

  • Endpoint Detection and Response (EDR) Monitoring: Although specific IOCs are not provided, EDR solutions can monitor for unusual activities that might indicate exploitation attempts, such as:

    • Unusual Process Creation: Monitoring for unusual processes launched with SYSTEM privileges, especially those originating from unexpected parent processes or locations.
    • File System Manipulation: Detecting suspicious modifications to symbolic links, hard links, or junction points, particularly in system directories or areas that the Microsoft Malware Protection Engine commonly interacts with.
    • Security Software Tampering: Alerts for attempts to disable, modify, interfere with, or remove Microsoft Defender processes or services.
    • Abnormal Service Behavior: Monitoring for crashes or unexpected restarts of Microsoft Defender services, which could indicate a denial-of-service attempt (CVE-2026-45498).

Without vendor-specific exploit details or IOCs, these EDR detections are heuristic and may generate false positives, requiring careful tuning and analyst investigation. Microsoft's primary detection mechanism is verifying the installed update version.

Remediation

Remediation for CVE-2026-41091 and CVE-2026-45498 involves updating the Microsoft Malware Protection Engine and the Microsoft Defender Antimalware Platform to the patched versions. Microsoft has released specific updates to address these vulnerabilities.

  • Apply Patches:

    • For CVE-2026-41091 (privilege escalation), update the Microsoft Malware Protection Engine to version 1.1.26040.8 or later.
    • For CVE-2026-45498 (denial-of-service), update the Microsoft Defender Antimalware Platform to version 4.18.26040.7 or later.
  • Use Automatic Updates: Microsoft states that its antimalware software's default configuration ensures malware definitions and the Windows Defender Antimalware Platform stay up to date automatically. For most users and organizations with standard configurations, these updates should deploy without manual intervention.

  • Verify Update Installation: Despite automatic updates, it is important for administrators and users to verify that the updates have been successfully installed. Follow these steps:

    1. Open the Windows Security program.
    2. In the navigation pane, select Virus & threat protection.
    3. Click Protection Updates in the Virus & threat protection section.
    4. Select Check for updates to initiate a manual check and download if available.
    5. In the navigation pane, select Settings, and then select About.
    6. Examine the Antimalware ClientVersion number. The update is successfully installed if the version number matches or exceeds 1.1.26040.8 for the engine and 4.18.26040.7 for the platform.
  • CISA Directive for Federal Agencies: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog. CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers against these vulnerabilities by June 3, 2026. This mandate, under Binding Operational Directive (BOD) 22-01, shows the importance of timely patching for organizations.

  • Monitoring Post-Remediation: After applying patches, organizations should continue to monitor their systems for any unusual activity. While patching removes the vulnerability, post-exploitation activity from prior compromises might persist if exploitation occurred before the patch was applied. Regular security audits and continuous monitoring for unusual behavior remain important components of an overall security posture.

Technical Takeaways

  • CVE-2026-41091 is a privilege escalation flaw (CVSS 7.8) in the Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, leading to SYSTEM privileges.
  • CVE-2026-45498 is a denial-of-service flaw (CVSS 4.0) in the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
  • Both vulnerabilities are actively exploited zero-days, confirmed by their inclusion in the CISA KEV Catalog.
  • The privilege escalation in CVE-2026-41091 is due to an "improper link resolution before file access" (link following) weakness, requiring initial local access.
  • Remediation involves updating the Microsoft Malware Protection Engine to 1.1.26040.8 and the Microsoft Defender Antimalware Platform to 4.18.26040.7 or later.