Defender zero-days CVE-2026-41091 and 45498 — what defenders should do today (May 2026)

Microsoft published two Defender vulnerabilities on May 19, 2026 that are being actively exploited in the wild, and CISA has already pushed both into the Known Exploited Vulnerabilities catalog. If you run Windows endpoints, this is a same-week update item, not a "schedule it for the next maintenance window" item. The patches exist, the abuse is happening, and the BOD 22-01 deadline for federal civilian agencies is June 3, 2026.

what follows: what happened, who needs to act, and what to do today before someone else makes the decision for you.

What's being exploited

CVE-2026-41091 is an Elevation of Privilege bug in Microsoft Defender's scanning logic, rated Important. The root cause is improper link resolution before file access. An authenticated local attacker plants symbolic links or NTFS junctions that point at attacker-controlled paths, then triggers Defender to follow them. Defender operates with SYSTEM privileges during scan operations, so the file actions Defender performs on those crafted targets execute as SYSTEM. Net result: a non-admin local user gets full SYSTEM on the host.

The attacker needs an authenticated session already. That sounds like a high bar until you remember that initial-access malware lands at user-level, then chains a local privilege escalation to get persistence and lateral-movement capability. CVE-2026-41091 is the second-stage tool intrusion sets are looking for. The Hacker News and BleepingComputer both confirm the in-the-wild abuse is happening.

CVE-2026-45498 is a Denial of Service in the Microsoft Defender Antimalware Platform itself. Attackers can trigger a platform-level crash that takes Defender's protection capabilities offline. The exploitation pattern here is the obvious one: kill the EDR/AV before deploying the actual payload, get a clean window for follow-on actions, restore Defender or leave it broken depending on how careful the operator is. CISA's KEV listing tells you this is being chained operationally, not a theoretical concern.

Both vulnerabilities affect core Defender components on all supported Windows releases. Server SKUs, client SKUs, enterprise plus home editions. If Defender is the security control on the box, the box is in scope.

Who needs to care this week

You care if:

• You operate Windows endpoints with Defender as the primary AV/EDR
• You're a SOC analyst monitoring Defender telemetry
• You manage a federal civilian agency endpoint fleet (BOD 22-01 deadline June 3, 2026)
• Your incident response runbook assumes Defender is the canary that flags initial compromise

You can probably defer if:

• Your endpoint protection is CrowdStrike Falcon / SentinelOne / Sophos, or any third-party EDR that has displaced Defender entirely. Defender may still be present but inactive
• You're on a Mac or Linux fleet
• Your Windows hosts are air-gapped and the threat model genuinely doesn't include authenticated local users

For everyone else, this is patch-this-week material.

What defenders should do today

1. Verify your Defender platform version. The fixed versions are 1.1.26040.8 (Antimalware Client) and 4.18.26040.7 (Antimalware Platform). PowerShell: Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AMEngineVersion, AMProductVersion. If your AMProductVersion is below 4.18.26040.7, you are exposed.

2. Push the update via your normal channel. Microsoft Defender updates ship through Windows Update + the Defender platform update mechanism (separate from the OS patch cycle). Most enterprises have this on auto-update, but plenty have it gated behind change windows. If yours is gated, this is the cycle where you unblock it.

3. Audit symlink/junction creation in user-writable paths. CVE-2026-41091 hinges on attacker-planted links. If you can detect or block user-mode symbolic link creation outside known-good paths, you have a compensating control while the update rolls out. Sysmon Event ID 11 (FileCreate) on *.lnk, *.junction, or any rapid CreateSymbolicLink API calls from non-admin processes is the telemetry to grep for.

4. Hunt for Defender service interruptions. CVE-2026-45498 manifests as Defender crashing. Event ID 5007 in the Windows Defender operational log, plus any unexpected stop of MsMpEng.exe. If you're seeing Defender crashes that pre-date the patch on hosts you care about, that's potentially active exploitation already, not noise.

5. Tighten EDR fallback. If your only AV is Defender and CVE-2026-45498 takes it offline, you have a blind window. Even a basic Sysmon + log forwarding + alert pipeline is meaningful insurance for the next two weeks while the patch rolls.

6. Watch CISA KEV updates. Both CVEs are now KEV-listed. CISA's pattern is to update advisories as they get better exploit telemetry. If a related CVE chain shows up (it usually does within 30-60 days of an EoP zero-day), you want to know.

What this signals about the Defender ecosystem

Defender being the primary AV on Windows means a vulnerability in Defender is a vulnerability in the Windows security boundary itself. There's no "swap to a different AV temporarily" option for most fleets; the swap takes weeks and breaks existing detections. So when Defender ships an exploitable bug, the practical response is "patch fast and accept the blast-radius window."

The April advisory cycle also had Defender zero-days, with three actively-exploited items and at least two unpatched at the time of disclosure (per The Hacker News reporting). The May cycle adding two more puts the count at 5 actively-exploited Defender zero-days inside 60 days. That's a pattern, not noise. Either the offensive research community is focusing on Defender specifically (likely given its ubiquity), or Microsoft's internal hardening process for Defender has gaps adversaries have learned to find faster than the patch cycle.

For SOC teams: the practical implication is that "Defender is healthy" isn't sufficient assurance anymore. The platform itself is now a credible attack surface, not the thing watching for attacks. Add Defender-version telemetry to your daily health check the same way you'd track signature freshness.

For CISOs: the next Q4 endpoint-protection decision should weight "what's our exposure if our primary AV is itself the EoP vector" much more heavily than it did a year ago. That doesn't necessarily mean rip and replace, but it might mean a secondary EDR layer.

What's worth not panicking about

This isn't a wormable RCE. There's no internet-facing component. Both CVEs require an authenticated local foothold to start. The blast radius is bounded by your initial-access hygiene, which is what it has always been. Patch normally, hunt for the symptoms, and move on.

If your fleet is genuinely current on Defender platform versions, you were probably patched within the auto-update window already. The PowerShell command above is the 30-second check.

Resources

If you want the deeper toolset for Defender-aware incident response, including the queries, hunt rules, and playbooks I use, those live in the Claude Code cookbooks, which include a cybersec cookbook covering EDR/AV chains. For comparison reviews of the endpoint-protection stack alternatives (Defender vs CrowdStrike vs SentinelOne), check tools.thesoundmethod.me.

Sources

• Help Net Security: Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498)
• The Hacker News: Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
• BleepingComputer: Microsoft warns of new Defender zero-days exploited in attacks
• Malwarebytes: Microsoft Defender vulnerabilities are being exploited in the wild
• Cybersecurity News: CISA Warns of Microsoft Defender 0-Day Vulnerabilities
• Eastern Herald: Microsoft Defender Zero-Days Exploited in Global Attacks
• The Hacker News (April cycle): Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

---

Canonical: tools.thesoundmethod.me