Microsoft patches critical Windows Server and Defender vulnerabilities

Microsoft’s Security Update Guide is the required source for current remediation data. Administrators should treat the latest Microsoft advisories as an urgent patch cycle, especially for Windows Server domain controllers and Microsoft Defender components.

Impact

Critical exposure exists in Windows Server domain controller environments. The highest-risk issue is CVE-2026-41089, a Windows Server Netlogon vulnerability reported with a CVSS score of 9.8. A vulnerable domain controller can be targeted over the network with a malformed UDP packet. No credentials are required in the reported attack path.

Patch now. Domain controllers are high-value assets.

A successful exploit can affect authentication, identity control, and domain trust. In Active Directory environments, a compromised domain controller can become a control point for Kerberos tickets, privileged accounts, lateral movement, and persistence. This is not a workstation-only risk. This is domain-level risk.

Microsoft Defender also requires verification. CVE-2026-41091 affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. It is rated high, CVSS 7.8. CVE-2026-45498 affects Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. It is rated high, CVSS 7.5. Reports state both have been exploited in the wild and added to the CISA Known Exploited Vulnerabilities Catalog.

Affected Products

CVE-2026-41089 affects Windows Server domain controllers, reportedly Windows Server 2012 and later. The vulnerable component is Netlogon. Domain controllers should be prioritized over member servers and workstations because exploitation can affect the entire domain.

CVE-2026-41091 affects Microsoft Malware Protection Engine 1.1.26030.3008 and earlier. The fixed engine version reported for mitigation is 1.1.26040.8.

CVE-2026-45498 affects Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. The fixed platform version reported for mitigation is 4.18.26040.7.

Administrators should confirm exact applicability in the official Microsoft advisory pages for CVE-2026-41089, CVE-2026-41091, and CVE-2026-45498.

Technical Details

CVE-2026-41089 is the most severe issue. Netlogon is a core Windows service used by domain controllers for authentication-related operations. It is part of the machinery that lets domain-joined systems find a controller, authenticate, and maintain secure channels.

The reported flaw is a buffer overflow condition triggered by malformed network input. The attack description is direct. An attacker on the same network sends a crafted UDP packet to a vulnerable domain controller. A field in the packet exceeds the expected size. Netlogon processing combines attacker-controlled input with server-side data. Memory corruption follows.

That is enough. Memory corruption in an authentication service is a critical condition.

The risk is amplified by where the vulnerable code runs. Domain controllers are not ordinary servers. They issue and validate identity. They hold the keys to directory trust. They support Kerberos, NTLM, Group Policy, machine account relationships, and privileged administration paths.

A denial-of-service outcome is already serious. A forced restart of a domain controller can disrupt authentication, application access, VPN access, and service account operations. Remote code execution is worse. If code execution reaches SYSTEM-level privileges on a controller, the attacker may be able to create privileged users, alter directory objects, extract secrets, or prepare long-term access.

This is why domain controller patching must be handled as a coordinated action. Patching one controller does not protect a domain if another reachable controller remains vulnerable. Attackers only need one exposed path.

CVE-2026-41091 is a local privilege escalation issue in the Microsoft Malware Protection Engine. The engine parses and scans files, memory, scripts, and content across Windows environments. A privilege escalation bug in this layer can let an attacker with local access raise privileges after initial compromise. That matters during intrusion chains. Attackers often land first as a low-privilege user, then escalate.

CVE-2026-45498 affects the Defender Antimalware Platform and can cause denial of service. Security tooling availability matters during active incidents. If an attacker can crash, disable, or degrade endpoint protection, detection and response time increases. That gives the attacker more room to stage payloads, steal credentials, and move laterally.

Severity

CVE-2026-41089 is critical. CVSS 9.8. Treat it as emergency patch priority for any environment running affected Windows Server domain controllers.

CVE-2026-41091 is high. CVSS 7.8. Exploitation can support privilege escalation after initial access.

CVE-2026-45498 is high. CVSS 7.5. Exploitation can disrupt Defender protection and weaken incident response.

Timeline

May 12, 2026: Microsoft released May Patch Tuesday updates covering multiple security vulnerabilities, including the reported fix for CVE-2026-41089.

May 2026: Microsoft released updated Defender components for the Malware Protection Engine and Antimalware Platform.

Late May 2026: Reports stated CVE-2026-41091 and CVE-2026-45498 were being exploited and had been added to CISA’s KEV catalog.

June 2026: Reports stated CVE-2026-41089 exploitation had been observed after patch release. Unpatched domain controllers remained exposed.

Required Action

Patch domain controllers first. Apply the relevant Windows Server security updates from Microsoft Update, Windows Server Update Services, Microsoft Configuration Manager, or the Microsoft Update Catalog.

Confirm every domain controller. Do not rely on a sample.

Inventory all DCs across production, disaster recovery, lab, branch, and legacy network segments. Include read-only domain controllers. Include isolated sites. Include systems that are normally excluded from rapid patch windows.

Verify Defender engine and platform versions. The Malware Protection Engine should be updated beyond 1.1.26030.3008. The Antimalware Platform should be updated beyond 4.18.26030.3011. Reported fixed versions are 1.1.26040.8 for the engine and 4.18.26040.7 for the platform.

Check update health. Use Microsoft Defender security intelligence update status, endpoint management reports, PowerShell inventory, and EDR telemetry. Confirm that automatic updates actually completed.

Monitor domain controllers. Watch for Netlogon crashes, LSASS instability, unexpected reboots, unusual UDP traffic to domain controllers, new privileged accounts, Kerberos anomalies, and suspicious changes in Active Directory.

Restrict network access to domain controllers. Domain controllers should not be broadly reachable from user VLANs, guest networks, unmanaged endpoints, or partner networks. Limit access to required ports from required systems. Review firewall rules and segmentation.

Assume patch lag creates exposure. Public advisory details often accelerate exploit development. Once a patch is available, attackers can compare vulnerable and fixed code paths. That shortens the time between disclosure and working exploit attempts.

Operational Guidance

Enterprises should run this as an identity emergency, not a routine workstation update. The fastest path is staged but compressed: test on representative domain controllers, deploy to a small production subset, validate authentication, then complete domain-wide rollout.

Back up domain controllers before maintenance. Confirm system state backups. Confirm recovery procedures. But do not let backup work become a reason for extended delay.

Coordinate with application owners. Authentication outages can look like application failures. Notify operations teams before reboot windows. Watch VPN, email, file services, database authentication, certificate services, and privileged access management systems after deployment.

For Defender, do not assume default automatic updates solved the issue. Many enterprises pin versions, route updates through internal mirrors, or delay platform updates through endpoint controls. Verify the installed component versions directly.

Use the Microsoft Security Update Guide for final product applicability, KB mapping, supersedence, and restart requirements. Use the CISA KEV catalog to prioritize vulnerabilities known to be used by attackers.

Bottom Line

Unpatched domain controllers create domain-wide exposure. Unpatched Defender components weaken endpoint protection. Apply Microsoft’s security updates, verify versions, and monitor for exploitation indicators immediately.