[CDP-development] TLP:GREEN (Vulnerability Alert Notification) Multiple Microsoft Defender Vulnerabilities (CVE-2026-41091 and CVE-2026-45498)
ESO_SOC * DAS
ESO.SOC at das.oregon.gov
Wed May 20 15:03:05 PDT 2026
Good afternoon,
The SOC Services team is reporting on the vulnerabilities; Multiple Microsoft Defender Vulnerabilities: CVE-2026-41091 and CVE-2026-45498 affecting Microsoft Malware Protection Engine used in Microsoft Defender on enterprise systems. Due to active exploitation concerns, elevated exposure risk, and the potential for remote compromise, we are providing this combined vulnerability notification to support enterprise remediation and defensive operations.
History: Coordinated disclosure was executed on May 20, 2026. The CVSS v3.x base score for CVE-2026-41091 is 7.8 (HIGH) and CVE-2026-45498 is 4.0 (MEDIUM), both assigned by Microsoft.
Affected Versions
* Microsoft Malware Protection Engine version 1.1.26030.3008 or earlier (CVE-2026-41091)
* Microsoft Defender Antimalware Platform version 4.18.26030.3011 or earlier (CVE-2026-45498)
Fixed Versions
* Microsoft Malware Protection Engine version 1.1.26040.8 or later (CVE2026-41091)
* Microsoft Defender Antimalware Platform version 4.18.26040.7 or later (CVE-2026-45498)
More information for these vulnerabilities can be found at the following vendor locations:
CVE-2026-41091: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
CVE-2026-45498: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
Intelligence: On May 20, 2026, CISA has listed the vulnerabilities in the Known Exploited Vulnerabilities Catalog.
CVE-2026-41091 CVE-2026-45498
Exploitability: Local Exploitability: Local
Complexity: Low Complexity: Low
User Interaction: None User Interaction: None
Remotely Exploitable: No Remotely Exploitable: No
Proof of Concept: No Proof of Concept: No
Zero Day: No Zero Day: No
Workarounds: There are no workarounds as this time.
How it Works: Below is the explanation on how these CVEs work.
CVE-2026-41091: Attackers can create malicious symbolic links that point to protected system files, causing Defender to operate on unintended targets while maintaining the appearance of legitimate file operations. This behavior violates fundamental security principles of path validation and access control enforcement. The flaw typically occurs in scenarios where Defender processes configuration files, log files, or other system resources that may be accessible through symbolic links. Attackers can create malicious symbolic links that point to protected system files, causing Defender to operate on unintended targets while maintaining the appearance of legitimate file operations. This behavior violates fundamental security principles of path validation and access control enforcement.
CVE-2026-45498: This vulnerability allows an unauthenticated attacker to craft malicious payloads that can cause the defender components to consume excessive system resources or crash entirely, resulting in service disruption and potential operational downtime for affected organizations.
Post-Exploit Impact:
* CVE-2026-41091 (CWE-59 Improper Link Resolution Before File Access ('Link Following')): An authenticated attacker with limited user privileges can leverage this weakness to escalate their access level and potentially gain SYSTEM-level privileges on the affected system. The vulnerability can be exploited in various attack vectors including scheduled tasks, automated scans, or any Defender operation that processes files through symbolic link traversal. Once escalated, attackers can modify system files, install malicious software, or exfiltrate sensitive data from the compromised system. The attack surface is particularly concerning because Defender is typically installed on all windows systems and runs with elevated privileges, making this vulnerability particularly dangerous in enterprise environments.
* CVE-2026-45498: (CWE-129 Input Validation and CWE-770 Allocation of Resources Without Limits or Throttling): The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the overall security posture of affected environments. Organizations relying on Microsoft Defender for protection may experience complete loss of threat detection capabilities during the attack window, leaving systems exposed to other threats while the defender service recovers or is manually restarted.
Indicators of Compromise (IoCs): Currently there are none documented.
Tenable Plugins: As of May 20, 2026, Tenable has not published a list of plugins and currently do not have plugins in their development pipeline.
Recommended Actions:
Date Added to KEV Catalog: 05/20/2026
Due Date for Remediation: 06/03/2026
* Verify host has not been compromised before applying patches.
* Apply appropriate updates provided by the vendor to vulnerable systems after testing.
* Run all software as a non-privileged user to reduce the impact of a successful attack.
* Apply the Principle of Least Privilege to all systems and services.
EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCE869.8D2D7950] [cid:image005.png at 01DCE869.8D2D7950]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260520/9f7dff48/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260520/9f7dff48/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 32625 bytes
Desc: image005.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260520/9f7dff48/attachment-0003.png>
More information about the CDP-development
mailing list