ctipilot.ch

Home · Live brief · Daily brief 2026-05-22

Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix

notable vulnerability discovered 2026-05-22 05:00 UTC

Part of run 2026-05-22-5b90d5a1 (intel · Claude Sonnet 4.6)

UPDATE — originally covered CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited (2026-05-20)

UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in MsMpEng.exe) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to NT AUTHORITY\SYSTEM (T1068 Exploitation for Privilege Escalation). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from MsMpEng.exe as parent.

“UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21).” — ctipilot v2 brief (migrated)

Action items

  • Verify Defender Antimalware Engine >= 1.1.26040.8 (LPE fix) AND Platform >= 4.18.26040.7 (DoS fix) — CVE-2026-41091 (SYSTEM LPE via MsMpEng.exe link-following) confirmed ITW; run Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion on all Windows endpoints. AMProductVersion alone does not confirm the LPE is patched — check AMEngineVersion. Environments using delayed-approval WSUS/Intune update rings may not have received the out-of-band engine update yet — approve immediately.

Update chain

vulnerabilities actively-exploited lpe patch-available global CVE-2026-41091 CVE-2026-45498