Microsoft has flagged two Microsoft Defender flaws — CVE-2026-41091 (CVSS 7.8) and CVE-2026-45498 (CVSS 4.0) — as being exploited in live attacks. Both have been entered into CISA's Known Exploited Vulnerabilities catalog, with Federal Civilian Executive Branch agencies ordered to remediate by June 3, 2026. The pair appears to map onto Defender zero-days previously published by an independent researcher, and patches are already shipping through Defender's antimalware platform updates.

The two flaws

CVE-2026-41091 is the more serious of the pair. Rated CVSS 7.8, it is a local privilege-escalation issue that lets an attacker climb all the way to SYSTEM. Microsoft's advisory text describes the root cause as a link-following weakness:

"Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally."

In other words, an attacker who already has a foothold on the machine — an authorized but low-privilege user — can abuse how Defender resolves filesystem links to redirect a privileged file operation toward a target of their choosing, ending up with SYSTEM-level access.

CVE-2026-45498 carries a much lower CVSS score of 4.0 and is a denial-of-service condition in Microsoft Defender. On its own it's relatively minor, but Microsoft notes it is being used alongside other bugs, which is why it still warrants prompt patching rather than being deferred.

Possible link to public zero-day disclosures

Microsoft hasn't officially tied the two CVEs to any prior research, but the wording of both advisories lines up closely with two Defender zero-days — nicknamed RedSun and UnDefend — that were released by a researcher going by Chaotic Eclipse (also known as Nightmare-Eclipse).

That researcher dumped several Defender vulnerabilities publicly as a protest against how the Microsoft Security Response Center managed the coordinated-disclosure process. The fallout was a wave of follow-on findings that attackers moved quickly to weaponize.

A proof-of-concept for the privilege-escalation bug is publicly available. The repository at 0xBlackash/CVE-2026-41091 (published May 21, 2026) describes RedSun as a local privilege-escalation technique with an accompanying PoC that abuses the link-following flaw in Microsoft Defender. The CVE was assigned and described on May 20, 2026, per the CVE.org record and the NVD entry.

Technical background: link-following privilege escalation

This section explains the general class of bug behind CVE-2026-41091; the specifics below are illustrative, not extracted from Microsoft's advisory.

Link-following (sometimes called a symlink or junction attack) bugs happen when a privileged process — here, a Defender component running as SYSTEM — performs a file operation (write, delete, move, or permission change) on a path that a lower-privileged user controls, without first verifying that the path isn't a link pointing somewhere sensitive.

On Windows the typical primitives are NTFS directory junctions and object-manager symbolic links, often combined with "opportunistic locks" (oplocks) to win the race window. The general pattern looks like:

  1. A low-privilege attacker identifies a file or directory that a SYSTEM service writes to or cleans up in a predictable location (for example, a temp or quarantine directory).
  2. The attacker replaces that location with a junction/symlink that redirects to a protected target — say, a DLL search path or a file in a system directory.
  3. When the privileged Defender process follows the link and performs its operation, it acts on the attacker-chosen target with SYSTEM rights, yielding arbitrary file write/overwrite — which is then leveraged into code execution as SYSTEM.

The fix for such issues is normally to resolve and validate the final path before acting (opening with flags that refuse reparse points, or impersonating the requesting user), which is consistent with Microsoft's "improper link resolution before file access" description.

Patches and affected versions

Both issues are fixed in updated Microsoft Defender Antimalware Platform builds:

  • CVE-2026-41091 — fixed in Microsoft Defender Antimalware Platform version 1.1.26040.8
  • CVE-2026-45498 — fixed in Microsoft Defender Antimalware Platform version 4.18.26040.7

Defender's platform components generally update on their own, but because exploitation is already happening, administrators should confirm the deployed antimalware platform version rather than assume the rollout completed.

You can check the current platform versions in PowerShell:


Get-MpComputerStatus | Select-Object AMServiceVersion, AMEngineVersion, AMProductVersion

To force Defender to pull the latest platform and signature updates:


Update-MpSignature

Confirm the reported AMServiceVersion / platform version meets or exceeds the fixed builds above before considering a host remediated.

Why this matters now

CISA has placed both CVE-2026-41091 and CVE-2026-45498 on its KEV catalog and set a remediation deadline of June 3, 2026 for FCEB agencies. The KEV listing is reserved for vulnerabilities under confirmed active exploitation, so the directive is a strong signal for everyone — not only federal entities. Given that a working PoC for the privilege-escalation bug is in the open and the flaws are being chained in real attacks, all organizations should treat this as a high-priority patching event and verify their Defender platform versions immediately.