Microsoft Defender Zero‑Days Under Active Attack: CVE‑2026‑41091 and CVE‑2026‑45498 + Video

Listen to this Post

Featured Image

Introduction

Two newly disclosed zero‑day vulnerabilities in Microsoft Defender are being actively exploited in the wild. The first, CVE‑2026‑41091, allows a local attacker to elevate privileges to SYSTEM, while the second, CVE‑2026‑45498, can trigger a denial‑of‑service (DoS) condition that disables endpoint protection. Both flaws affect core components used across all supported Windows versions, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added them to its Known Exploited Vulnerabilities (KEV) Catalog, mandating federal agencies to apply mitigations by June 3, 2026.

Learning Objectives

  • Understand the technical root causes of CVE‑2026‑41091 (improper link resolution) and CVE‑2026‑45498 (input validation failure).
  • Learn how to verify Microsoft Defender engine versions and patch status using Windows commands and PowerShell.
  • Implement immediate detection, containment, and hardening measures to prevent privilege escalation and DoS exploitation.

You Should Know

  1. Technical Deep Dive: Link Following and Input Validation Flaws

CVE‑2026‑41091 resides in the Microsoft Malware Protection Engine (mpengine.dll) versions up to 1.1.26030.3008. The vulnerability is an improper link resolution before file access (CWE‑59) – often called a “link following” weakness. When the Defender scanning engine follows a maliciously crafted link or shortcut, it can be redirected to a high‑privilege system file. Because Defender operates with SYSTEM‑level permissions, the attacker tricks the antivirus into granting them full control over the compromised host. The exploit requires local access but no user interaction (attack complexity low). Microsoft fixed the issue in Malware Protection Engine version 1.1.26040.8.

CVE‑2026‑45498 affects the Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. It stems from insufficient validation of user‑supplied input (CWE‑20) within the threat protection mechanisms. An unauthenticated attacker can craft a malicious payload (e.g., a specially formatted file or network traffic) that forces Defender components to consume excessive resources or crash entirely, temporarily disabling antimalware protection. This DoS condition leaves the system exposed to other threats while Defender recovers. The patch is included in Antimalware Platform version 4.18.26040.7.

Affected and patched versions in a nutshell:

| CVE | Affected Component | Affected Version | Patched Version |

|-|-|||

| CVE‑2026‑41091 | Microsoft Malware Protection Engine | ≤ 1.1.26030.3008 | 1.1.26040.8 |
| CVE‑2026‑45498 | Microsoft Defender Antimalware Platform | ≤ 4.18.26030.3011 | 4.18.26040.7 |

Because both components are used by Microsoft Defender, System Center Endpoint Protection and Microsoft Security Essentials, the impact spans a wide range of products.

2. Verify Your Patch Status – Step‑by‑Step Guide

Most systems are configured to automatically receive malware definition and engine updates, but you must verify that the patches have actually been applied. Use the following methods:

A. Check via Windows Security GUI

  1. Open Windows Security (type “Security” in the Start menu).
  2. Go to Virus & threat protection → Protection updates.
  3. Click Check for updates to force a signature update.
  4. Then go to Settings → About and examine the Antimalware Client Version number.

– For CVE‑2026‑41091, the Malware Protection Engine version should be `1.1.26040.8` or higher.
– For CVE‑2026‑45498, the Antimalware Platform version should be `4.18.26040.7` or higher.

B. Check using PowerShell (Run as Administrator)

 Retrieve the current Antimalware platform version
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion

Alternatively, check the engine version specifically
Get-MpPreference | Select-Object -ExpandProperty AntimalwareVersion

Expected output

– `AMEngineVersion` should be `1.1.26040.8` or newer.
– `AMProductVersion` should be `4.18.26040.7` or newer.

C. Check using Command Prompt

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -GetEngineVersion

The command returns the current engine version. If it is older than 1.1.26040.8, the system remains vulnerable.

D. Check via Registry (Quick audit for many machines)

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates" | Select-Object EngineVersion, ProductVersion

E. Automate checks across your domain (PowerShell)

$computers = Get-ADComputer -Filter  | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
$version = Invoke-Command -ComputerName $computer -ScriptBlock {
(Get-MpComputerStatus).AMEngineVersion
}
Write-Output "$computer : $version"
}

If any system shows an older version, manually trigger an update using:

Update-MpSignature

Or from command line:

MpCmdRun.exe -SignatureUpdate

3. Immediate Detection and Incident Response

Because exploitation is already happening in the wild, defenders should hunt for signs of privilege escalation and DoS attempts.

Detecting attempts for CVE‑2026‑41091 (Privilege Escalation)

  • Monitor for unusual link resolution activities using Sysmon Event ID 11 (FileCreate) and Event ID 2 (FileCreateStreamHash).
  • Look for processes running as `NT AUTHORITY\SYSTEM` that originate from an unexpected user context.
  • Use the following command to list processes that have escalated to SYSTEM but were launched from a user‑land process:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4674} | Where-Object { $_.Message -match "SYSTEM" }
    

Detecting DoS attempts for CVE‑2026‑45498

  • High CPU or memory usage of `MsMpEng.exe` (the Defender scanning process) can indicate a resource‑exhaustion attack.
  • Use Performance Monitor to track `\Process(MsMpEng)\% Processor Time` and \Process(MsMpEng)\Working Set.
  • In Windows Event Viewer, check Applications and Services Logs/Microsoft/Windows/Windows Defender/Operational for event ID 1116 (malware detection) and 2000 (engine crash).
  • A sudden flood of scan errors may point to crafted payloads. Run this PowerShell to query for Defender service crashes:
    Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'; ID=7034} | Where-Object { $_.Message -like "MsMpEng" }
    

If a compromise is suspected, isolate the host immediately:

 Disable network interfaces (run as Administrator)
Get-NetAdapter | Disable-NetAdapter -Confirm:$false

Or use Microsoft Defender for Endpoint Live Response commands
 "isolate" command to cut network communication while preserving investigation capabilities.
  1. Hardening and Mitigation (When Patching Is Not Immediate)

If you cannot patch right away, apply these layered defenses:

  • Disable Defender only as a last resort – Microsoft noted that systems with Defender intentionally disabled are not exploitable, but this leaves the machine completely unprotected. Only consider this in isolated, controlled environments.
  • Enforce application whitelisting – Use AppLocker or Windows Defender Application Control (WDAC) to prevent execution of unknown payloads that might trigger the link‑following flaw.
  • Restrict local user permissions – Since CVE‑2026‑41091 requires local access, reduce the number of standard users who can log on interactively. Use the Local Users and Groups snap‑in (lusrmgr.msc) to review and prune privileged accounts.
  • Implement network segmentation – For CVE‑2026‑45498, which can be triggered remotely (via email attachments or network traffic), ensure critical systems are isolated on separate VLANs and enforce strict inbound/outbound filtering.
  • Monitor resource usage thresholds – Configure alerts when `MsMpEng.exe` exceeds 80% CPU for more than 5 minutes. Use PowerShell to set up a scheduled task that triggers an alert:
    $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\Scripts\DefenderAlert.ps1"
    $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5)
    Register-ScheduledTask -TaskName "MonitorDefenderCPU" -Action $action -Trigger $trigger
    

5. Step‑by‑Step Remediation for Enterprises

For large‑scale environments, use Microsoft Endpoint Manager (MEM) or Group Policy to enforce the update:

Using Group Policy

1. Open Group Policy Management Console.

  1. Navigate to Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Signature Updates.
  2. Set “Define the number of days before signature updates are downloaded” to 1.
  3. Set “Define the source of definition updates for signature updates” to “Microsoft Update Server”.
  4. Link the policy to your domain. Run `gpupdate /force` on target machines.

Using PowerShell Remoting

Invoke-Command -ComputerName (Get-Content servers.txt) -ScriptBlock {
Update-MpSignature -UpdateSource MicrosoftUpdateServer
Start-Sleep -Seconds 30
$engine = (Get-MpComputerStatus).AMEngineVersion
if ($engine -ge "1.1.26040.8") {
Write-Output "$env:COMPUTERNAME patched successfully"
} else {
Write-Output "$env:COMPUTERNAME update failed"
}
}

Using Microsoft Endpoint Manager (Intune)

  1. Create a new antivirus policy for Windows 10/11 devices.
  2. Under “Security intelligence updates”, set the update schedule to “Every hour”.
  3. Deploy the policy to all Windows device groups.
  4. Monitor the “Antimalware platform version” and “Antimalware engine version” in the Endpoint Manager dashboard.

6. What Undercode Say

  • Key Takeaway 1: The combination of a local privilege escalation (LPE) and a denial‑of‑service flaw in the same security product is especially dangerous – while the LPE gives attackers full control, the DoS can be used to disable protection before other exploits are launched. Organisations must prioritise patching both vulnerabilities, not just the higher‑scored CVE‑2026‑41091.
  • Key Takeaway 2: Relying on “automatic updates” is not enough. Active exploitation windows are shrinking, and many enterprises have found that Defender engine updates can be delayed by stale Group Policies, offline systems, or misconfigured WSUS. Manual verification – using the PowerShell commands shown above – should be part of every monthly patch cycle.
  • Analysis: These zero‑days represent a paradigm shift: attackers are now targeting the very tools that are supposed to protect us. The improper link resolution flaw (CWE‑59) is a classic programming error, yet it has remained in one of the world’s most widely deployed security engines. This incident reinforces the need for “defence in depth” – even the most trusted security software must be treated as a potential attack surface. Visibility (through EDR logs), identity governance (least privilege), and rapid response processes (automated containment) are no longer optional; they are the only safety net when a zero‑day slips through.

Prediction

The active exploitation of Microsoft Defender vulnerabilities is likely to accelerate a broader industry shift toward “extended detection and response” (XDR) platforms that decouple detection from the underlying antivirus engine. Over the next 12 months, we anticipate:
– Increased vendor investment in memory‑safe languages for core scanning components to eliminate whole classes of vulnerabilities such as improper link resolution.
– Regulatory mandates requiring organisations to verify the patch status of security tools themselves, not just operating systems.
– A rise in “defender‑aware” exploit chains – attackers will combine these types of flaws (LPE + DoS) more frequently, first disrupting the EDR/AV sensor, then elevating privileges.
– Microsoft will likely release “Defender Lite” – a reduced‑functionality scanning mode for high‑sensitivity environments, minimising the attack surface while still providing baseline protection.

The clock is ticking: CISA’s June 3 deadline means every federal agency (and any organisation that follows federal guidance) has only two weeks to fully remediate. Any delay will be measured in compromised systems. Do not wait – verify your patch status today.

▶️ Related Video (90% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Windows – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky