Microsoft patches two Defender bugs used in active attacks

Microsoft issued patches for two Microsoft Defender vulnerabilities that are being actively exploited. CVE-2026-41091 is a local privilege-escalation flaw with a CVSS score of 7.8. Successful exploitation can grant an attacker SYSTEM privileges. CVE-2026-45498 is a denial-of-service vulnerability with a CVSS score of 4.0.

Both flaws were fixed in Microsoft Defender Antimalware Platform releases 1.1.26040.8 and 4.18.26040.7. Machines that have disabled Microsoft Defender are not affected. Malware definition and Microsoft Malware Protection Engine updates are distributed automatically for most users, so no manual installation is required in typical environments.

In its advisory, Microsoft described CVE-2026-41091 as an ‘Improper link resolution before file access (“link following”)’ that allows an authorized attacker to elevate privileges locally and obtain SYSTEM-level access on a compromised device. CVE-2026-45498 can cause Defender to stop working and trigger a denial of service.

There are no public technical details about how the flaws are being exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency added both vulnerabilities to its Known Exploited Vulnerabilities catalog, which requires Federal Civilian Executive Branch agencies to apply fixes by June 3, 2026.

Microsoft credited five reporters for discovering and reporting the vulnerabilities: Sibusiso, Diffract, Andrew C. Dorman (ACD421), Damir Moldovanov and an anonymous researcher. The company advised users to confirm they are running the updated antimalware platform to ensure the fixes and definition updates are present.

To check Defender updates, open the Windows Security app, select Virus & threat protection, click Protection updates and choose Check for updates. Then open Settings and About to view the Antimalware ClientVersion number. These checks confirm that the latest platform and definition updates are downloaded and installed.

The Defender advisory follows a recent Microsoft disclosure that a cross-site scripting flaw in on-premises Exchange Server, CVE-2026-42897, has been used in attacks. CISA added several older Microsoft and Adobe vulnerabilities from 2008 to 2010 to its exploited list in the same update.