CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network

Microsoft also disclosed CVE-2026-45584 on 2026-05-19 — a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N), allowing unauthenticated code execution in the Defender process context. CVSS 8.1; no exploitation observed at disclosure, no public PoC. The same Engine update (≥ 1.1.26040.8) that closes CVE-2026-41091 also closes CVE-2026-45584. Network-reachable code execution inside an endpoint security product is operationally severe — successful exploitation lands attacker code in the same privileged context as Defender. Treat the Engine version verification step as covering both CVEs.