Microsoft Defender Zero-Days Require Immediate Update Verification

Microsoft has issued security fixes for two actively exploited Microsoft Defender vulnerabilities tracked as CVE-2026-41091 and CVE-2026-45498. Both affect core Defender components used across Windows endpoints and servers where Defender is enabled.

Patch now. Verify versions.

CVE-2026-41091 affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. It is rated High with a CVSS score of 7.8. The flaw allows local privilege escalation. An attacker who already has access to a system could use it to gain higher privileges and move closer to full control of the endpoint.

CVE-2026-45498 affects Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. It is rated High with a CVSS score of 7.5. The flaw can trigger denial of service. That matters because Defender is part of the defensive layer itself. Disrupting it can weaken detection and response during an intrusion.

Microsoft released fixed versions for the affected components. Malware Protection Engine should be updated to version 1.1.26040.8 or later. Defender Antimalware Platform should be updated to version 4.18.26040.7 or later. Administrators should review the Microsoft Security Update Guide and confirm deployment status across managed devices.

The risk is active exploitation. CISA reportedly added the flaws to its Known Exploited Vulnerabilities catalog, which signals confirmed real-world abuse and imposes required remediation timelines for U.S. federal civilian agencies. Agencies were directed to apply vendor mitigations or discontinue use if mitigations were unavailable.

The affected technology is sensitive. Microsoft Defender runs with privileged access. Its engine inspects files, scripts, memory activity, downloaded payloads, and other execution paths. That position gives it broad visibility, but it also makes Defender bugs valuable to attackers. A privilege escalation flaw in a security product can convert limited access into deeper control. A denial-of-service flaw can blind or degrade protection at the exact point defenders need telemetry.

The likely attack chain is direct. An attacker first lands on a host through phishing, stolen credentials, exposed remote access, or another vulnerability. The attacker then uses a local privilege escalation bug to raise permissions. If Defender can also be crashed or disrupted, the attacker gains more time to stage tools, disable controls, dump credentials, or move laterally.

Default automatic updating reduces exposure, but it does not eliminate operational risk. Enterprises often delay updates through policy, network isolation, gold images, virtual desktop pools, server baselines, offline systems, or change windows. Those environments need manual confirmation. Assume nothing.

Administrators should take these steps immediately:

1. Confirm Microsoft Defender engine and platform versions on every managed endpoint.
2. Update Malware Protection Engine to 1.1.26040.8 or later.
3. Update Defender Antimalware Platform to 4.18.26040.7 or later.
4. Force Defender updates on systems that have not checked in.
5. Review EDR alerts for Defender service crashes, tamper events, update failures, and suspicious local privilege escalation behavior.
6. Prioritize internet-facing systems, administrator workstations, jump boxes, domain controllers, and servers handling credentials.
7. Isolate systems that cannot update until compensating controls are in place.

Users can check Defender status through Windows Security by opening Virus & threat protection, then Protection updates, then checking for updates. Enterprise teams should use Microsoft Intune, Configuration Manager, Group Policy, PowerShell, or existing endpoint management tooling to audit versions at scale.

Timeline:

• Affected versions: Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
• Fixed versions: Malware Protection Engine 1.1.26040.8 and Defender Antimalware Platform 4.18.26040.7.
• Public reporting: May 2026.
• Federal remediation deadline reported for CISA KEV action: June 3, 2026.

This is not a routine update check. The vulnerabilities affect defensive infrastructure and have been reported as exploited. Treat missing Defender updates as an incident precursor. Patch, verify, and hunt.