HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Privilege‑Escalation and DoS Vulnerabilities in Microsoft Defender (CVE‑2026‑41091, CVE‑2026‑45498) Exploited in the Wild

Microsoft Defender’s core engine contains two actively exploited flaws—one granting SYSTEM privileges, the other causing denial‑of‑service. Enterprises must patch immediately to avoid endpoint compromise and loss of anti‑malware protection.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 helpnetsecurity.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
helpnetsecurity.com

Critical Privilege‑Escalation and DoS Vulnerabilities in Microsoft Defender (CVE‑2026‑41091, CVE‑2026‑45498) Exploited in the Wild

What It Is – Two flaws in Microsoft Defender’s Malware Protection Engine and Antimalware Platform are being actively exploited. CVE‑2026‑41091 grants local SYSTEM privileges, while CVE‑2026‑45498 can render the anti‑malware service unavailable.

Exploitability – Both vulnerabilities are publicly disclosed and observed in the wild; proof‑of‑concept exploits (BlueHammer, RedSun, UnDefend) have been released. Microsoft and CISA have added them to the Known Exploited Vulnerabilities (KEV) catalog.

Affected Products – Microsoft Defender (all Windows versions), Microsoft Defender Antimalware Platform, Microsoft Malware Protection Engine v1.26030.3008, System Center Endpoint Protection, and legacy Microsoft Security Essentials.

TPRM Impact – Enterprises that rely on Microsoft Defender as a third‑party security layer face potential privilege‑escalation attacks on their endpoints and loss of anti‑malware protection, which can cascade to downstream partners and customers.

Recommended Actions

  • Deploy Microsoft patches v1.1.26040.8 (Malware Protection Engine) and v4.18.26040.7 (Antimalware Platform) immediately.
  • Verify patch rollout across all managed devices and any SaaS‑hosted workloads that use Defender.
  • Align with CISA’s KEV deadline (June 3 2026) – either patch or retire the product in federal environments.
  • Review and harden endpoint hardening policies; consider temporary mitigations (e.g., disabling vulnerable components) if patching cannot be completed instantly.
  • Update incident‑response playbooks to include detection of LPE activity and DoS symptoms tied to Defender.

Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →