Microsoft has disclosed details of two security vulnerabilities affecting Microsoft Defender that are currently being actively exploited in real world attacks. The vulnerabilities include a privilege escalation flaw identified as CVE 2026 41091 and a denial of service issue tracked as CVE 2026 45498. According to Microsoft, both vulnerabilities impact Defender and have already been addressed through security updates released for Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Security experts have emphasized the importance of ensuring systems are updated, particularly as both flaws are reportedly being used in active exploitation campaigns.
The more severe of the two vulnerabilities, CVE 2026 41091, carries a Common Vulnerability Scoring System score of 7.8 and could allow attackers to gain SYSTEM level privileges on affected devices. Microsoft stated that the flaw results from improper link resolution before file access, commonly referred to as link following, within Microsoft Defender. According to the advisory, an authorized attacker with local access could exploit the weakness to elevate privileges and gain extensive control over targeted systems. The second vulnerability, CVE 2026 45498, has a CVSS score of 4.0 and affects Defender through a denial of service weakness. While Microsoft has not officially confirmed the connection, cybersecurity researchers noted similarities between these vulnerabilities and two previously disclosed Defender zero day issues known as RedSun and UnDefend, which were revealed by Chaotic Eclipse, also known as Nightmare Eclipse, in April 2026. Threat detection firm Huntress has reportedly observed exploitation activity involving both vulnerabilities along with another Defender related issue identified as BlueHammer or CVE 2026 33825.
Microsoft also disclosed that version 1.1.26040.8 includes fixes for an additional heap based buffer overflow vulnerability identified as CVE 2026 45584, which carries a CVSS score of 8.1. The flaw could potentially allow an unauthorized attacker to execute remote code on affected systems, although Microsoft stated there is currently no evidence suggesting active exploitation in the wild. The company clarified that devices where Microsoft Defender has been disabled are not vulnerable to these specific flaws. Microsoft also noted that no manual action is required to receive protection in most environments because malware definitions and updates for Microsoft Malware Protection Engine are delivered automatically. To verify that updates have been installed successfully, users can review their antimalware platform version through Windows Security settings by checking virus and threat protection updates and confirming the installed client version information.
The latest disclosures have also drawn attention from United States cybersecurity authorities. Cybersecurity and Infrastructure Security Agency, commonly known as CISA, added CVE 2026 41091 and CVE 2026 45498 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply patches before June 3, 2026. The development follows another recent Microsoft security issue disclosed last week involving CVE 2026 42897, a cross site scripting vulnerability affecting on premise Microsoft Exchange Server deployments that was reportedly weaponized in active attacks. CISA also expanded its KEV catalog to include several older Microsoft vulnerabilities from 2008, 2009, and 2010, alongside CVE 2009 3459 affecting Adobe Acrobat and Reader, highlighting the continued exploitation risks associated with unpatched legacy systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
