Home · Live brief · Daily brief 2026-05-22
Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
Part of run 2026-05-22-5b90d5a1 (intel · Claude Sonnet 4.6)
UPDATE — originally covered CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited (2026-05-20)
UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in MsMpEng.exe) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to NT AUTHORITY\SYSTEM (T1068 Exploitation for Privilege Escalation). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from MsMpEng.exe as parent.
“UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21).” — ctipilot v2 brief (migrated)
Action items
- Verify Defender Antimalware Engine >= 1.1.26040.8 (LPE fix) AND Platform >= 4.18.26040.7 (DoS fix) — CVE-2026-41091 (SYSTEM LPE via MsMpEng.exe link-following) confirmed ITW; run
Get-MpComputerStatus | Select AMEngineVersion, AMProductVersionon all Windows endpoints.AMProductVersionalone does not confirm the LPE is patched — checkAMEngineVersion. Environments using delayed-approval WSUS/Intune update rings may not have received the out-of-band engine update yet — approve immediately.