ctipilot.ch

Microsoft Defender Antivirus local DoS — exploited alongside CVE-2026-41091 in combined out-of-band engine update 4.18.26040.7

cve · CVE-2026-45498

Coverage timeline
2
first 2026-05-18 → last 2026-05-25
Entries
2
2 distinct days
Sources cited
2
2 hosts
Sections touched
2
updates, weekly-top-stories
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-22Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
    updatesMicrosoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
  2. 2026-05-18Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix
    weekly-top-storiesMicrosoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix

Where this entity is cited

  • weekly-top-stories1
  • updates1

Source distribution

  • msrc.microsoft.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

Entries about Microsoft Defender Antivirus local DoS — exploited alongside CVE-2026-41091 in combined out-of-band engine update 4.18.26040.7 (2)

2026-05-22 · view entry permalink →

NOTABLECVE-2026-41091 +1exploitedupdate

Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix

UPDATE · originally covered CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited (2026-05-20)

Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in MsMpEng.exe) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to NT AUTHORITY\SYSTEM (T1068 Exploitation for Privilege Escalation). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from MsMpEng.exe as parent.

UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21).

ctipilot v2 brief (migrated)
vulnerability22 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

HIGHCVE-2026-41091 +1exploited

Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix

If you did nothing this week: the malware-protection engine on your Windows estate became the foothold. Microsoft confirmed both CVEs as actively exploited and shipped a combined out-of-band Defender Engine update (4.18.26040.7) — first disclosed 2026-05-20, confirmed-exploited 2026-05-22.

CVE-2026-41091 is a link-following elevation-of-privilege flaw in the Defender Engine (CVSS 7.8) flagged exploited=Yes and publiclyDisclosed=Yes in the MSRC update guide on 2026-05-19; CVE-2026-45498 was confirmed exploited alongside it. A third flaw disclosed the same day — CVE-2026-45584, a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N) for unauthenticated code execution in the Defender process context (CVSS 8.1) — is patched by the same engine train but not confirmed exploited (§ 3). The engine auto-updates for most estates, but air-gapped, version-pinned, or managed-update environments must verify they are on engine ≥ 4.18.26040.7. Hunt for Defender engine-version regressions and anomalous MpCmdRun.exe activity.

If you did nothing this week: the malware-protection engine on your Windows estate became the foothold.

ctipilot v2 brief (migrated)
synthesis18 May 05:00Zmulti-sourceOpen finding ↗