Two previously unpatched Windows Defender vulnerabilities were actively exploited before Microsoft issued fixes on May 21, 2026. These zero-days allowed attackers to escalate privileges or disrupt Defender’s protection silently, raising concerns about endpoint security for organizations and individuals relying on Windows Defender.
- One zero-day lets attackers gain full SYSTEM control without elevated permissions by exploiting symbolic link resolution during Defender scans.
- The second enables denial-of-service attacks on Defender’s update mechanism, degrading threat detection without alerts.
- Both vulnerabilities are fixed in recent Malware Protection Engine and Antimalware Platform updates delivered automatically via Defender.
- Federal agencies have deadlines to confirm patching as these flaws are listed in CISA’s Known Exploited Vulnerabilities catalog.
Privilege Escalation Without Elevated Access
The more severe vulnerability, CVE-2026-41091, scored 7.8 on the CVSS scale and targets the Malware Protection Engine. It exploits how Defender resolves symbolic links during file scans, allowing a low-privileged attacker to manipulate links and escalate to SYSTEM-level control. This means attackers don’t need prior admin rights to take over a system, which is serious for endpoint security.
Silent Denial of Service Weakens Defender Updates
The second flaw, CVE-2026-45498, rated 4.0 on CVSS, impacts the Antimalware Platform by blocking definition updates silently. This denial-of-service attack reduces Defender’s ability to detect new threats but doesn’t alert users or administrators. It affects not only standard Defender but also System Center Endpoint Protection and Security Essentials, broadening the impact across Windows security products.
Patch Deployment and Remaining Risks
Microsoft fixed both issues in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Updates are pushed automatically through Defender’s update system, but administrators managing air-gapped or controlled environments should manually verify they are running these versions or newer. Delays in patch deployment could leave systems vulnerable.
The updated engine also addresses a separate heap-based buffer overflow (CVE-2026-45584) with a higher CVSS of 8.1 that could allow remote code execution, although it hasn’t been seen exploited yet.
Ongoing Zero-Day Concerns in Windows Security
These two zero-days are part of a series of vulnerabilities disclosed recently, all targeting Windows security components. Notably, MiniPlasma, which exploits the Cloud Filter driver to gain SYSTEM access on fully patched Windows 11 machines, remains unpatched. This ongoing discovery of zero-days highlights that Windows Defender and related components remain attractive targets for attackers.
The trade-off is clear: Defender’s built-in updates simplify patching, but organizations with strict update controls or air-gapped networks need to actively verify installations to stay protected. Users should ensure their Windows Defender components are up to date and monitor security advisories regularly.
Consider updating immediately if you rely on Windows Defender for endpoint protection. Skip delaying patches only if you have strong compensating controls and verified update procedures in place.
(Via)
