CISA Adds Two Actively Exploited Microsoft Defender Flaws

On May 20, 2026 the Cybersecurity and Infrastructure Security Agency added two actively exploited Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-41091 and CVE-2026-45498. The KEV update also included several other entries, five of which were originally patched in 2008, 2009 and 2010.

The KEV catalog identifies flaws that are being exploited in the wild and sets patching deadlines for Federal Civilian Executive Branch agencies. Inclusion in the catalog obligates those agencies to follow the KEV remediation timelines.

CVE-2026-41091 has a CVSS score of 7.8 and is an elevation-of-privilege vulnerability in the Microsoft Defender Antimalware platform. An attacker with local access can exploit the flaw to escalate to SYSTEM-level permissions and gain control of a Windows host.

CVE-2026-45498 carries a CVSS score of 4.0 and is a denial-of-service vulnerability that can crash or disrupt Defender’s operation. Crashing or disabling an endpoint protection engine can allow malware to run without detection.

The elevation flaw requires local access, which increases exposure in environments with shared machines, terminal servers or multiple users on a single host. Organizations that rely on Microsoft Defender as primary endpoint protection, IT teams managing Windows systems in businesses, schools and local governments, and administrators of shared environments are among those affected.

Microsoft lists the first Antimalware Platform release that addresses both issues as version 4.18.26040.7. Platform version information can be viewed in Windows Security by opening Start, selecting Windows Security, going to Virus & threat protection, opening Settings (gear icon) and viewing About. Defender platform updates are often delivered with cumulative Windows updates on a monthly cadence or when needed, and platform updates may arrive later than security definition updates.

By adding the two Defender flaws to KEV, remediation becomes mandatory for federal civilian agencies under KEV rules. The KEV entry directs system owners and administrators to confirm platform and definition versions and apply any outstanding cumulative updates to address the listed vulnerabilities.