Microsoft Defender CVE-2026-41091 and CVE-2026-45498 Exploited in Attacks

by Emma Davis
May 21, 2026

Microsoft Defender CVE-2026-41091 and CVE-2026-45498 are exploited in attacks. Check Engine 1.1.26040.8, Platform 4.18.26040.7, and update endpoints before the CISA KEV deadline.

Microsoft Defender users should verify engine and platform versions after Microsoft disclosed two Defender vulnerabilities that are already exploited in attacks. CVE-2026-41091 is the more serious issue: a local attacker who already has access to a Windows system can elevate privileges to SYSTEM through improper link resolution before file access.[2] CVE-2026-45498 is a Defender denial-of-service flaw, also marked by Microsoft as exploited.[3]

Cartoon showing Microsoft Defender vulnerabilities being checked against engine and platform version numbers
Automatic updates are good; the version number gets the final vote.

BleepingComputer reported on May 21, 2026, that Microsoft started rolling out patches for the two exploited Defender zero-days on Wednesday.[1] CISA added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog on May 20, with a federal remediation due date of June 3, 2026.[4] That KEV entry does not mean every home PC is currently targeted, but it is a clear signal that defenders should not wait for the next normal maintenance window.

The practical risk is different for each bug. CVE-2026-41091 has a CVSS 3.1 score of 7.8 and requires local access plus low privileges, but successful exploitation can grant high confidentiality, integrity, and availability impact.[5] That matters after phishing, infostealer, remote-access, or help-desk compromise, because malware that lands as a normal user often tries to become SYSTEM before disabling defenses or dumping sensitive data. CVE-2026-45498 is lower severity at CVSS 4.0, but a local no-privilege denial-of-service condition against endpoint protection can still help an attacker weaken visibility during the next stage of an intrusion.[6]

What to check on Windows endpoints

Microsoft says the last affected Microsoft Malware Protection Engine version for CVE-2026-41091 is 1.1.26030.3008, and the first fixed engine version is 1.1.26040.8.[2] For CVE-2026-45498, the last affected Microsoft Defender Antimalware Platform version is 4.18.26030.3011, and the first fixed platform version is 4.18.26040.7.[3] At the time of this check, Microsoft’s public security intelligence page listed Engine Version 1.1.26040.8 and Platform Version 4.18.26040.7 in the latest update information.[7]

For a quick manual check, open Windows Security, go to Virus & threat protection, choose protection updates, run Check for updates, and then verify the About section. On managed endpoints, query Defender status centrally and look for machines that failed engine or platform update deployment. PowerShell checks such as Get-MpComputerStatus can help inventory the installed engine, platform, signature age, and real-time protection state across a fleet.

Organizations should prioritize systems that are exposed to untrusted users, shared workstations, VDI pools, help-desk jump boxes, developer machines, and servers where Defender is the primary local control. If Defender is disabled by policy, Microsoft notes that scanners may still flag vulnerable Defender files on disk, but disabled Defender is not considered exploitable for these issues.[2] The better operational question is whether the endpoint has another active protection stack and whether vulnerable Defender binaries remain a compliance finding.

Because both bugs require local activity, triage should focus on endpoints that already show suspicious execution, unusual Defender service interruptions, failed update attempts, or recent malware detections. This Defender update also connects to a broader Windows endpoint pattern: a small local weakness can become serious after initial access. Readers may want to review how Microsoft Defender fits into everyday protection, how to fix Windows Defender update failures, and how recent Windows campaigns such as fake developer tooling dropping infostealers create the kind of local foothold that makes privilege-escalation bugs valuable.

References

  1. BleepingComputer. “Microsoft warns of new Defender zero-days exploited in attacks.” May 21, 2026. https://www.bleepingcomputer.com/news/security/microsoft-warns-of-new-defender-zero-days-exploited-in-attacks/
  2. Microsoft Security Response Center. “CVE-2026-41091: Microsoft Defender Elevation of Privilege Vulnerability.” https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2026-41091
  3. Microsoft Security Response Center. “CVE-2026-45498: Microsoft Defender Denial of Service Vulnerability.” https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2026-45498
  4. CISA. “Known Exploited Vulnerabilities Catalog: CVE-2026-41091 and CVE-2026-45498.” https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  5. NVD. “CVE-2026-41091.” https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-41091
  6. NVD. “CVE-2026-45498.” https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-45498
  7. Microsoft Security Intelligence. “Latest security intelligence updates for Microsoft Defender Antivirus.” https://www.microsoft.com/en-us/wdsi/definitions

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment