Microsoft has revealed that a privilege escalation and denial of service flaw in Defender is being exploited in the wild.
The former is tracked as CVE-2026-41091 and is rated 7.8 on the CVSS scoring system. Successful exploitation of this flaw could allow an attacker to gain SYSTEM privileges.
“Microsoft Defender’s improper link resolution before file access (‘link following’) could allow a privileged attacker to locally escalate privileges,” Microsoft said in an advisory.
The second vulnerability being exploited is CVE-2026-45498 (CVSS score: 4.0), which is a denial of service bug that affects Defender. These two vulnerabilities are addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
The tech giant said systems that have Microsoft Defender disabled are not affected by this vulnerability, adding that no action is required to install the update as malware definitions and the Microsoft Malware Protection Engine are automatically updated for optimal protection.
Microsoft has acknowledged that five different parties discovered and reported this flaw, including Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanova, and an anonymous researcher.
To ensure that the latest versions and definition updates for Microsoft Malware Protection Platform are actively downloaded and installed, we recommend that users follow these steps:
Open your Windows Security program. In the navigation pane,[ウイルスと脅威の保護]Select. next,[ウイルスと脅威の保護]By updating the section[保護の更新]Click.[アップデートを確認する]Select. In the navigation pane,[設定]Select[バージョン情報]Select. Check the Antimalware ClientVersion number.
At this time, details about how this vulnerability is being exploited in the wild are unknown. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both to its Known Exploited Vulnerabilities (KEV) catalog and requires Federal Civilian Executive Branch (FCEB) agencies to patch them by June 3, 2026.
Last week, Microsoft also revealed that a cross-site scripting flaw (CVE-2026-42897, CVSS score: 8.1) affecting on-premises versions of Exchange Server has been weaponized in real-world attacks.
On Wednesday, four other Microsoft flaws from 2008, 2009, and 2010 were also added to the KEV catalog.
CVE-2010-0806 – A use-after-free vulnerability in Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code. CVE-2010-0249 – A use-after-free vulnerability in Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code. CVE-2009-1537 – Microsoft DirectX has a null byte overwrite vulnerability in the QuickTime movie parser filter in quartz.dll in DirectShow that could allow a remote attacker to execute arbitrary code via a crafted QuickTime media file. CVE-2008-4250 – Microsoft Windows has a buffer overflow vulnerability in the Windows Server service that allows remote attackers to execute arbitrary code via a crafted RPC request.
Another vulnerability listed is CVE-2009-3459, a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader. This could allow remote attackers to execute arbitrary code via a crafted PDF file and cause memory corruption.
Source link
