Two Microsoft Defender flaws being actively exploited

On May 20, 2026, the Cybersecurity and Infrastructure Security Agency added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The entries are CVE-2026-41091 and CVE-2026-45498.

CVE-2026-41091 is rated 7.8 on the CVSS scale and is a local elevation-of-privilege vulnerability. An attacker who already has some access to a Windows machine can exploit the Microsoft Defender Antimalware Platform to obtain SYSTEM-level permissions.

CVE-2026-45498 is rated 4.0 and is a denial-of-service vulnerability that can crash or disable the Defender antivirus engine, interrupting its normal operation.

CISA’s KEV catalog identifies vulnerabilities known to be exploited in the wild and establishes remediation deadlines for Federal Civilian Executive Branch agencies. The Defender entries were added on May 20, 2026; several other items added that day are older patches dating back to 2008–2010.

Microsoft delivers fixes for the Defender Antimalware Platform through platform updates and sometimes alongside cumulative Windows updates. The first platform release that addresses these two flaws is version 4.18.26040.7.

The installed Defender platform version is visible in Windows Security under Virus & threat protection, Settings, and About. Platform updates can lag behind security intelligence or definition updates, and the platform patch may not appear immediately even with automatic updates enabled.

Organizations that use Microsoft Defender as their primary endpoint protection, manage many Windows systems, or operate shared or terminal server environments are among those most affected by these flaws. IT teams should monitor update releases, confirm that Defender platform and security intelligence updates are installed, and apply any cumulative updates that include the platform fix.