Microsoft Defender CVE-2026-41091 and CVE-2026-45498 Exploited

Stephanie Adlam
Stephanie Adlam
3 Min Read
Microsoft Defender zero-days exploited update advisory image

Microsoft has confirmed exploitation of two Microsoft Defender vulnerabilities fixed in the May 2026 security update cycle. CVE-2026-41091 is an elevation-of-privilege flaw in the Microsoft Malware Protection Engine, while CVE-2026-45498 is a denial-of-service flaw in the Microsoft Defender Antimalware Platform [1] [2].

The first bug matters more for incident response because a local authorized attacker could gain SYSTEM privileges. Microsoft identifies the last affected Malware Protection Engine as 1.1.26030.3008 and the first fixed engine as 1.1.26040.8. For the platform issue, Microsoft lists 4.18.26030.3011 as the last affected Antimalware Platform and 4.18.26040.7 as the first fixed version.

CISA added both CVEs to the Known Exploited Vulnerabilities catalog on May 20, 2026, with a remediation due date of June 3 for covered federal agencies [3]. For home and small-business Windows users, the useful takeaway is narrower: do not only check whether Defender is “on.” Check whether the engine and platform binaries actually moved to the fixed builds.

What to verify on Windows systems

Microsoft says Defender files can remain present even when Defender is disabled, which can cause scanners to report vulnerable binaries on systems that are not exploitable in that disabled state. That distinction matters for triage: a stale file on disk is not the same signal as an active Defender service running an affected build.

On managed endpoints, verify update delivery instead of assuming automatic updates worked. Microsoft notes that Defender signatures normally update multiple times per day, but engine and platform updates still depend on the update channel, policy, and connectivity. If a device recently saw malware, unusual local admin changes, or unexplained Defender interruptions, treat the version check as part of the response workflow rather than a routine patch task.

This story fits the same Windows security pattern we covered in AI malware bypassing Microsoft Defender: protection quality depends on current engine behavior, not only on the presence of an antivirus icon. There were no useful evidentiary screenshots in the MSRC or CISA records, so no source screenshots were inserted.

Related endpoint-security update: Trend Micro also warned about CVE-2026-34926 in Apex One, where a compromised on-prem management server can become a poisoned path to agents.

References

  1. Microsoft Security Response Center: CVE-2026-41091, Microsoft Defender Elevation of Privilege Vulnerability, May 19, 2026. Advisory
  2. Microsoft Security Response Center: CVE-2026-45498, Microsoft Defender Denial of Service Vulnerability, May 19, 2026. Advisory
  3. CISA Known Exploited Vulnerabilities Catalog: entries for CVE-2026-41091 and CVE-2026-45498, added May 20, 2026. Catalog
Number of linked with WhatsApp phishing URLs increased by 13 467%
Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim
Temporary patch for 0-day vulnerability in Internet Explorer arrived on the Internet
About 30% of critical vulnerabilities in WordPress plugins remain unpatched
Free Movie Streaming Site Scams
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Drupal Core CVE-2026-9082 PostgreSQL SQL injection advisory image Drupal Core CVE-2026-9082: PostgreSQL SQL Injection Patch
Next Article Trend Micro Apex One CVE-2026-34926 exploited advisory image Trend Micro Apex One CVE-2026-34926 Exploited in the Wild
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?