Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix

If you did nothing this week: the malware-protection engine on your Windows estate became the foothold. Microsoft confirmed both CVEs as actively exploited and shipped a combined out-of-band Defender Engine update (4.18.26040.7) — first disclosed 2026-05-20, confirmed-exploited 2026-05-22.

CVE-2026-41091 is a link-following elevation-of-privilege flaw in the Defender Engine (CVSS 7.8) flagged exploited=Yes and publiclyDisclosed=Yes in the MSRC update guide on 2026-05-19; CVE-2026-45498 was confirmed exploited alongside it. A third flaw disclosed the same day — CVE-2026-45584, a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N) for unauthenticated code execution in the Defender process context (CVSS 8.1) — is patched by the same engine train but not confirmed exploited (§ 3). The engine auto-updates for most estates, but air-gapped, version-pinned, or managed-update environments must verify they are on engine ≥ 4.18.26040.7. Hunt for Defender engine-version regressions and anomalous MpCmdRun.exe activity.