Microsoft has confirmed that two vulnerabilities affecting its Defender antivirus software are currently being exploited by attackers in the wild. The most critical of these, CVE-2026-41091, allows for privilege escalation, potentially granting attackers SYSTEM-level access on compromised systems. Meanwhile, CVE-2026-45498 presents a denial-of-service risk within Microsoft Defender. These active exploits highlight the ongoing threat landscape for endpoint security solutions.
The privilege escalation flaw, CVE-2026-41091, has a significant CVSS score of 7.8, indicating a high level of risk. Microsoft’s advisory details that the vulnerability arises from improper link resolution before file access, often referred to as “link following.” An attacker with existing local access could exploit this weakness to gain elevated privileges. The denial-of-service vulnerability, CVE-2026-45498, carries a lower CVSS score of 4.0 but still poses a threat to system stability.
Microsoft Defender Vulnerabilities Under Active Exploitation
These vulnerabilities have been addressed by Microsoft in updated versions of its Defender Antimalware Platform. Specifically, version 1.1.26040.8 resolves the privilege escalation issue, while version 4.18.26040.7 addresses the denial-of-service bug. Microsoft has indicated that systems where Microsoft Defender has been disabled are not vulnerable to these specific exploits.
For users relying on automatic updates, no immediate action is typically required. Microsoft Defender is designed to automatically update its malware definitions and the underlying protection engine, ensuring optimal security. However, users can verify that they have the latest protection by checking their Antimalware Client Version within the Windows Security application.
To manually check for updates and confirm the installation of the latest protection engine, users can follow a specific procedure. This involves opening Windows Security, navigating to “Virus & threat protection,” and then selecting “Protection Updates.” From there, users can initiate a “Check for updates.” Further verification can be done by going to “Settings” and then “About” to view the “Antimalware Client Version” number.
The discovery and reporting of these vulnerabilities are attributed to several researchers, including Sibusiso, Diffract, Andrew C. Dorman (known as ACD421), Damir Moldovanov, and an anonymous individual. This collaborative effort underscores the vital role of the security research community in identifying and mitigating software weaknesses.
Details regarding the exact methods of in-the-wild exploitation for these Defender vulnerabilities remain scarce. However, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken swift action by adding both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates that Federal Civilian Executive Branch (FCEB) agencies implement the necessary fixes by June 3, 2026, emphasizing the urgency for government systems.
Broader Vulnerability Landscape
This disclosure follows closely on the heels of other recent security alerts from Microsoft. Just last week, the company highlighted a cross-site scripting (XSS) flaw in on-premise Exchange Server versions (CVE-2026-42897) that has also been actively exploited. This underscores a persistent trend of vulnerabilities being weaponized shortly after disclosure.
Adding to the ongoing security concerns, CISA also recently added four older Microsoft vulnerabilities to its KEV catalog, dating back to 2008, 2009, and 2010. These include:
- CVE-2010-0806 and CVE-2010-0249: Use-after-free vulnerabilities in Microsoft Internet Explorer that could lead to arbitrary code execution.
- CVE-2009-1537: A NULL byte overwrite vulnerability in the Microsoft DirectX QuickTime Movie Parser Filter.
- CVE-2008-4250: A buffer overflow vulnerability in the Windows Server Service allowing for remote code execution.
Furthermore, a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader, tracked as CVE-2009-3459, was also included in the recent KEV catalog additions. This vulnerability in Adobe products could enable remote code execution via crafted PDF files that trigger memory corruption.
The continued inclusion of older vulnerabilities in exploitation campaigns, alongside novel ones like those found in Microsoft Defender, highlights the layered approach necessary for robust cybersecurity. Organizations must not only patch current threats but also address legacy systems that may remain attractive targets. The upcoming deadline for FCEB agencies to patch the Defender vulnerabilities by June 3, 2026, will be a key indicator of remediation progress in critical government infrastructure.