Microsoft has warned of two actively exploited vulnerabilities in Microsoft Defender, with CISA adding both to its Known Exploited Vulnerabilities catalog and requiring federal agency patching by June 3, 2026.
The Vulnerabilities
CVE-2026-41091 (CVSS 7.8) is a privilege escalation flaw. Successful exploitation allows an attacker to gain SYSTEM privileges. According to Microsoft: "Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally."
CVE-2026-45498 (CVSS 4.0) is a denial-of-service bug impacting Microsoft Defender. While rated lower severity, its active exploitation in conjunction with other vulnerabilities makes it a priority to patch.
Connection to BlueHammer Disclosures
Although Microsoft has not formally confirmed it, the vulnerability descriptions for CVE-2026-41091 and CVE-2026-45498 overlap significantly with those of RedSun and UnDefend — two Defender zero-days previously disclosed by security researcher Chaotic Eclipse (aka Nightmare-Eclipse).
This researcher publicly disclosed multiple Defender flaws in protest of how Microsoft's Security Response Center handled the vulnerability disclosure process, triggering a chain of discoveries that attackers quickly began exploiting.
Patches Available
Both vulnerabilities have been addressed in:
- Microsoft Defender Antimalware Platform version 1.1.26040.8 (CVE-2026-41091)
- Microsoft Defender Antimalware Platform version 4.18.26040.7 (CVE-2026-45498)
Defender typically updates automatically, but organizations should verify their antimalware platform versions are current.
CISA Mandate
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by June 3, 2026.
All organizations — not just federal agencies — should treat this as a high-priority patching event given confirmed active exploitation.