Microsoft Defender Zero-Day CVE-2026-41091: Close This Gap Now

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Two Microsoft Defender zero-days are being chained in active attacks to disable Windows endpoint protection and achieve full SYSTEM-level compromise on 1.4 billion Windows devices that remain unpatched until admins manually verify their Defender platform version.
CVE-2026-41091, a CVSS 7.8 privilege escalation flaw in Microsoft Malware Protection Engine (mpengine.dll), lets any local attacker escalate to SYSTEM by exploiting a link-following weakness. Defender improperly resolves symlinks before accessing files during threat remediation, and attackers manipulate that process to write arbitrary data to privileged filesystem paths. Microsoft confirmed active exploitation of this Microsoft Defender zero-day on May 20, 2026, the same day CISA added both CVE-2026-41091 and its companion flaw CVE-2026-45498 to the Known Exploited Vulnerabilities (KEV) catalog.
The attack chain pairs both CVEs for maximum impact. CVE-2026-45498 (CVSS 4.0) triggers a denial-of-service state in the Microsoft Defender Antimalware Platform, crashing the real-time protection engine and allowing malware to execute without detection. With Defender blinded, attackers deploy CVE-2026-41091 to escalate from a standard user account to SYSTEM, the highest privilege tier on Windows, without triggering any remaining endpoint alerts.
The exposure matters right now because both patches push through Microsoft Defender's automatic signature update mechanism, meaning most organizations believe they are protected when they may not be. Automatic updates require a stable network connection and periodic check-ins; air-gapped systems, VPN-isolated workstations, and endpoints with tampered update settings may still be running the vulnerable Malware Protection Engine version 1.1.26030.3008. Federal agencies have until June 3, 2026 to confirm remediation. Every other organization should close this gap before the weekend.
How Does the Microsoft Defender Zero-Day CVE-2026-41091 Work?
CVE-2026-41091 exploits a link-following weakness in mpengine.dll, the Microsoft Malware Protection Engine module that handles real-time scanning, file remediation, and malware cleaning. When Defender's threat remediation engine identifies a malicious file, it prepares to clean or quarantine it by resolving the file path. The vulnerability lies in the gap between path resolution and file access: an attacker inserts an NTFS junction point or symbolic link between those two operations using a batch opportunistic lock (oplock) technique.
The specific attack sequence proceeds as follows. First, the attacker drops a file that Defender scans and prepares to remediate. Second, the attacker pauses Defender's file operation by acquiring an oplock on the target file, creating a race condition window. Third, during that window, the attacker replaces the target file path with an NTFS junction redirecting to a privileged system path. Fourth, when the oplock releases, Defender follows the junction and writes under SYSTEM-level privileges to the redirected location, overwriting a protected system file chosen by the attacker.
This technique is a time-of-check to time-of-use (TOCTOU) race condition, a class of vulnerability also seen in the earlier BlueHammer (CVE-2026-33825) and RedSun exploits released by researcher Chaotic Eclipse in April 2026 as a public protest against Microsoft's vulnerability disclosure handling. Huntress Labs confirmed active exploitation of CVE-2026-41091 alongside CVE-2026-33825 in hands-on-keyboard intrusions, where attackers gained initial access through compromised SSL VPN credentials before deploying the Defender privilege escalation locally.
The vulnerability affects Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier across Microsoft Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, and all related products using mpengine.dll. Source: The Hacker News, BleepingComputer.
“Successful exploitation of CVE-2026-41091 enables an authorized attacker to elevate privileges locally. The vulnerability stems from improper link resolution before file access.”
Microsoft Security Response Center, May 20, 2026
CVE-2026-45498: The Companion Flaw That Blinds Your Defenses
CVE-2026-45498 is a CVSS 4.0 denial-of-service vulnerability in the Microsoft Defender Antimalware Platform (versions 4.18.26030.3011 and earlier). On its own, CVE-2026-45498 carries a lower severity rating. Chained with CVE-2026-41091, it becomes the first stage of a two-step takedown of Windows endpoint security.
When an attacker triggers CVE-2026-45498, the Microsoft Defender Antimalware Platform enters a crash state and stops processing real-time protection events. Signature scanning halts. Behavior monitoring stops. Exploit protection rules no longer fire. The endpoint becomes functionally undefended for the duration of the crash, which attackers can re-trigger as needed.
This is the same class of capability as the UnDefend zero-day exploited in April 2026, which prevented Microsoft Defender from receiving definition updates so that freshly deployed malware had no available signatures to match. CVE-2026-45498 is a formally assigned CVE for a similar capability, now confirmed exploited in the wild.
The combined attack pattern observed by Huntress Labs proceeds as follows: the attacker establishes initial access via a compromised SSL VPN account, drops a small stager, triggers CVE-2026-45498 to crash Defender, then runs CVE-2026-41091 to escalate to SYSTEM without generating any Defender telemetry. From SYSTEM, the attacker can disable Windows Event Log, install persistence, and exfiltrate credentials before re-enabling Defender to avoid long-term detection gaps that would alert a security operations center.
Organizations running Microsoft System Center Endpoint Protection, Security Essentials, or third-party products that embed the Microsoft Defender Antimalware Platform SDK are also affected by CVE-2026-45498. Patch confirmation requires checking both the Malware Protection Engine version (must be 1.1.26040.8 or later) and the Antimalware Platform version (must be 4.18.26040.7 or later). Source: Help Net Security.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Active Exploitation Evidence: How Widespread Is the Attack?
CISA confirmed active exploitation of both CVE-2026-41091 and CVE-2026-45498 when it added them to the KEV catalog on May 20, 2026. The agency set a compliance deadline of June 3, 2026 for all US Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 22-01, giving organizations 12 days to confirm remediation.
Microsoft assigned an "Exploitation Detected" status to both CVEs in its Security Response Center portal. Huntress Labs researchers reported observing "hands-on-keyboard threat actor activity" that included the Defender privilege escalation chain in multiple separate incident response cases during May 2026. All confirmed cases involved initial access via compromised SSL VPN credentials, consistent with the broader trend of identity-based initial access that accounted for 32.8 percent of all identifiable intrusion incidents in the first quarter of 2026, per a CrowdStrike threat intelligence report.
No specific threat actor group has been officially attributed to the CVE-2026-41091 and CVE-2026-45498 exploitation campaigns as of May 22, 2026. The connection to Chaotic Eclipse's publicly released proof-of-concept code from April 2026 suggests that multiple unrelated actors are operating independently using the same freely available exploit primitives.
Organizations face elevated risk in any environment with: shared Windows workstations or terminal servers where multiple low-privilege users have local access; Windows endpoints with disabled or delayed automatic update policies; air-gapped network segments that cannot reach Microsoft's signature distribution infrastructure; and environments where Defender's tamper protection was previously disabled by an attacker who already has low-level access.
Threat Actor Context: Who Is Exploiting These Flaws?
The exploit primitives behind CVE-2026-41091 were developed and publicly released by a researcher operating under the aliases Chaotic Eclipse and Nightmare Eclipse in April 2026. The researcher published working proof-of-concept code for three Microsoft Defender vulnerabilities, BlueHammer (CVE-2026-33825), RedSun, and UnDefend, as a protest against what the researcher described as Microsoft's inadequate vulnerability disclosure handling and failure to credit independent security researchers.
That public release provided a ready-made exploitation toolkit for any threat actor willing to adapt it. Huntress Labs confirmed that multiple distinct intrusion sets began deploying the privilege escalation technique within 10 days of the PoC publication. CVE-2026-41091 and CVE-2026-45498 represent Microsoft's formal CVE assignments for two of those exploited capabilities: the SYSTEM privilege escalation (CVE-2026-41091 corresponds to the RedSun technique) and the antivirus-kill DoS (CVE-2026-45498 corresponds to the UnDefend technique).
From a threat actor perspective, this vulnerability class is highly attractive for both ransomware operators and espionage actors. Ransomware groups need to disable endpoint detection before deploying encryption payloads; CVE-2026-45498 provides that capability reliably. Nation-state actors conducting long-term dwell operations need to escalate from a compromised low-privilege account to SYSTEM for credential dumping and lateral movement; CVE-2026-41091 provides that capability without requiring kernel exploits.
The broader Windows Defender zero-day exploitation context connects directly to the pattern of Windows zero-day exploitation documented in April 2026, where APT28 weaponized a Windows Shell vulnerability with a similar TOCTOU race condition class for zero-click NTLM credential theft. Attackers are systematically working through Windows' security architecture layer by layer.
“Threat actors gained initial access through a compromised SSL VPN user and then deployed a Defender privilege escalation chain that granted full SYSTEM control within minutes of foothold establishment.”
Huntress Labs Incident Response, May 2026
Remediation: 5 Steps to Patch Microsoft Defender Zero-Days Before the Weekend
Patching CVE-2026-41091 and CVE-2026-45498 does not require a Windows OS update. Both fixes ship through Microsoft Defender's signature and platform update mechanism, which runs independently of Patch Tuesday. The remediation takes under five minutes on a connected endpoint but requires active verification because automatic updates are not guaranteed on isolated or misconfigured systems.
Run all five steps below before end of business today. For fleet-scale remediation using PowerShell, Intune, or SCCM, the detailed commands are available to subscribers below.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Microsoft Defender Zero-Day Exploitation Matters for Your Organization
Microsoft Defender zero-day exploitation is categorically different from a typical application vulnerability because the security tool itself becomes the attack vector. Every organization running Windows relies on Defender as a baseline security control, either as the primary endpoint protection product or as a secondary layer beneath third-party AV software. When that baseline is compromised, the attacker has removed the safety net before their main attack begins.
The combination of CVE-2026-45498 and CVE-2026-41091 maps directly to an adversarial playbook documented in ransomware and APT intrusions throughout 2026: disable the defender, escalate privileges, operate freely. Both exploits derive from publicly released PoC code, which means the technical barrier to deployment is low. Any threat actor with a compromised domain account and local access can replicate this attack chain today using freely available tools.
The broader pattern of CISA Known Exploited Vulnerabilities additions in 2026 shows a consistent theme: attackers target security infrastructure first. Cisco SD-WAN authentication bypasses, Exchange Server spoofing flaws, and now Defender privilege escalation all represent attacks on the tools organizations trust to protect them. Closing this gap is not just about patching two CVEs. It is about restoring the integrity of your endpoint security baseline before attackers weaponize it further.
Five minutes of forced Defender updates today is worth days of incident response next week. Every Windows endpoint in your organization is a potential lateral movement target until it runs Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Source: CISA KEV Catalog, Malwarebytes.
The bottom line
The Microsoft Defender zero-day CVE-2026-41091 and companion CVE-2026-45498 are actively exploited to disable endpoint protection and escalate to SYSTEM on unpatched Windows endpoints worldwide. Both are on CISA's KEV catalog with a June 3, 2026 federal deadline. Three key takeaways: automatic updates are not guaranteed, so verify your Engine version manually; the two CVEs chain together to blind Defender before the privilege escalation fires; and all confirmed cases started with a compromised SSL VPN account. Verify your Defender platform version is 1.1.26040.8 or later before you close your laptop today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-41091?
CVE-2026-41091 is a CVSS 7.8 privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll), the core scanning component of Microsoft Defender. The flaw exploits an improper link resolution before file access during Defender's threat remediation process. An attacker with local user access can insert an NTFS junction point during the remediation window to redirect Defender's SYSTEM-level file write to an arbitrary privileged path, gaining full SYSTEM control of the Windows endpoint. It is actively exploited in the wild and on CISA's KEV catalog as of May 20, 2026.
Is my Windows computer vulnerable to CVE-2026-41091?
Your system is vulnerable if it runs Microsoft Malware Protection Engine version 1.1.26030.3008 or earlier. To check: open Windows Security, go to Virus and threat protection, click Manage settings, and scroll to Security intelligence to view the Engine version. If you see 1.1.26040.8 or higher, you are patched. Affected products include Microsoft Defender Antivirus, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, and any product that embeds mpengine.dll.
What is the difference between CVE-2026-41091 and CVE-2026-45498?
CVE-2026-41091 (CVSS 7.8) is a privilege escalation flaw in the Malware Protection Engine that lets attackers gain SYSTEM privileges. CVE-2026-45498 (CVSS 4.0) is a denial-of-service flaw in the Microsoft Defender Antimalware Platform that crashes Defender's real-time protection engine. In confirmed attacks the two are chained: CVE-2026-45498 kills Defender first so the privilege escalation via CVE-2026-41091 runs without generating any endpoint detection alerts. Patch both to close the attack chain.
How do I check my Microsoft Defender version?
Open the Windows Security app. Navigate to Virus and threat protection, then select Virus and threat protection settings. Scroll down to Security intelligence and you will see both the Antimalware Client Version and the Security intelligence version. You can also check via PowerShell with: Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion. The patched versions are Malware Protection Engine 1.1.26040.8 or later and Antimalware Platform 4.18.26040.7 or later.
Does Microsoft Defender automatically patch CVE-2026-41091?
Microsoft Defender updates the Malware Protection Engine automatically through its signature update mechanism, separate from Windows Update or Patch Tuesday. For most connected endpoints the patch should deploy automatically within days. However, automatic updates can fail on air-gapped systems, VPN-isolated workstations, or endpoints with tampered update settings. Manual verification is required to confirm the fix is applied. In Windows Security go to Virus and threat protection and click Check for updates to force an immediate update and verify the Engine version.
What does CISA KEV listing mean for my organization?
A CISA Known Exploited Vulnerability listing means the agency has confirmed active in-the-wild exploitation. Under Binding Operational Directive 22-01, all US Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by the published due date, which is June 3, 2026 for CVE-2026-41091 and CVE-2026-45498. For non-federal organizations, a KEV listing signals that attackers are actively deploying this exploit in real intrusions, making immediate patching an urgent priority regardless of compliance obligations.
Can CVE-2026-45498 be used to disable antivirus protection?
Yes. CVE-2026-45498 crashes the Microsoft Defender Antimalware Platform into a denial-of-service state, stopping real-time protection, behavior monitoring, and exploit guard from functioning. Attackers exploit this to create a detection-free window during which they execute malware or run the CVE-2026-41091 privilege escalation without triggering alerts. The crash can be re-triggered as needed. Patching to Antimalware Platform version 4.18.26040.7 or later closes this attack vector completely.
Who is exploiting these Microsoft Defender zero-days?
No specific threat actor group has been officially attributed to the CVE-2026-41091 and CVE-2026-45498 campaigns as of May 22, 2026. The exploits derive from public proof-of-concept code released by researcher Chaotic Eclipse in April 2026 as a disclosure protest. Huntress Labs confirmed multiple distinct intrusion sets deploying the privilege escalation chain, all beginning with compromised SSL VPN credentials for initial access. The public PoC availability means both ransomware operators and nation-state espionage actors are likely using variants of this technique.
Sources & references
- The Hacker News, Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
- BleepingComputer, Microsoft warns of new Defender zero-days exploited in attacks
- CISA, Known Exploited Vulnerabilities Catalog
- Help Net Security, Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498)
- Malwarebytes, Microsoft Defender vulnerabilities are being exploited in the wild
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
