Microsoft has disclosed that two vulnerabilities in Microsoft Defender are under active exploitation, and one of these flaws allows an attacker to gain SYSTEM privileges on affected Windows systems.
The Microsoft Defender privilege escalation exploited vulnerability is tracked as CVE-2026-41091, and it carries a CVSS score of 7.8 which is considered high severity, and Microsoft confirmed that attackers are actively using this flaw in real-world attacks.
The second vulnerability under exploitation is CVE-2026-45498 which is a denial-of-service bug, and it carries a CVSS score of 4.0 which is considered medium severity.
The Privilege Escalation Flaw
The Microsoft Defender privilege escalation exploited vulnerability is described as an improper link resolution before file access, which is also known as a link following vulnerability.
An attacker who successfully exploits this flaw can elevate privileges locally, and the end result is that an attacker can gain SYSTEM privileges which is the highest level of access on a Windows system.
The Microsoft Defender privilege escalation exploited flaw affects Microsoft Defender Antimalware Platform, and Microsoft has addressed the issue in version 1.1.26040.8.
The Denial of Service Vulnerability
The second actively exploited vulnerability is CVE-2026-45498, and this is a denial-of-service flaw affecting Microsoft Defender.
A denial-of-service attack would cause Defender to stop functioning properly, and this could leave the system vulnerable to other malware while Defender is disabled.
The Microsoft Defender privilege escalation exploited denial-of-service flaw has been addressed in Microsoft Defender Antimalware Platform version 4.18.26040.7.
How to Get the Patch
Microsoft noted that no action is required to install the update for the Microsoft Defender privilege escalation exploited vulnerabilities because Defender automatically updates malware definitions and the Microsoft Malware Protection Engine.
However, users should verify that automatic updates are working correctly, and Microsoft provided steps to ensure the latest version is installed.
Open Windows Security, select Virus & threat protection, then click on Protection Updates, and select Check for updates, then navigate to Settings and select About, and examine the Antimalware Client Version number.
The Microsoft Defender privilege escalation exploited vulnerabilities are patched in version 1.1.26040.8 and 4.18.26040.7, and systems with older versions remain vulnerable.
Systems Not Affected
Microsoft noted that systems which have disabled Microsoft Defender are not susceptible to the Microsoft Defender privilege escalation exploited vulnerabilities, but disabling Defender is not recommended for most users.
Defender is Microsoft's built-in antivirus solution, and it provides baseline protection against malware and other threats, disabling it leaves the system exposed to many other attack vectors.
The Microsoft Defender privilege escalation exploited flaws only affect systems where Defender is running, but the vast majority of Windows systems have Defender enabled.
Discovery Credits
Microsoft credited five different parties with discovering and reporting the Microsoft Defender privilege escalation exploited vulnerabilities.
The researchers include Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an anonymous researcher who chose not to be named.
These researchers reported the flaws through Microsoft's coordinated disclosure process, and Microsoft developed and released patches before confirming active exploitation.
Active Exploitation Details
Microsoft confirmed that the Microsoft Defender privilege escalation exploited vulnerabilities are being actively used in attacks, but the company provided few details about the exploitation.
There are currently no details about how the vulnerabilities are being exploited, the identity of the threat actors behind the activity, or the scale of such efforts.
What Microsoft did confirm is that both CVE-2026-41091 and CVE-2026-45498 meet the threshold for active exploitation, and the company tagged them accordingly.
CISA Adds to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both Microsoft Defender privilege escalation exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
CISA requires Federal Civilian Executive Branch (FCEB) agencies to apply the fixes for these flaws by June 3, 2026, and this deadline gives agencies approximately two weeks to patch.
The KEV catalog is a list of vulnerabilities that are known to be actively exploited, and federal agencies are required to patch these vulnerabilities within specific timeframes.
Three Microsoft Zero Days in a Week
With the latest disclosure of the Microsoft Defender privilege escalation exploited flaws, a total of three Microsoft vulnerabilities have been flagged as exploited within a span of one week.
Last week, Microsoft disclosed that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897) had been weaponized in real-world attacks, and that vulnerability has a CVSS score of 8.1.
The Exchange Server XSS vulnerability allows an attacker to perform spoofing over a network, and it requires a user to open a crafted email in Outlook Web Access.
The Microsoft Defender privilege escalation exploited vulnerabilities add to a busy month for Microsoft's security response team.
Older Vulnerabilities Added to KEV
CISA also added four other Microsoft flaws from 2008, 2009, and 2010 to the KEV catalog on Wednesday, and these are extremely old vulnerabilities.
CVE-2010-0806 is a use-after-free vulnerability in Microsoft Internet Explorer that could allow remote attackers to execute arbitrary code, and this flaw is over 16 years old.
CVE-2010-0249 is another use-after-free vulnerability in Microsoft Internet Explorer that could allow remote attackers to execute arbitrary code.
CVE-2009-1537 is a NULL byte overwrite vulnerability in Microsoft DirectX's QuickTime Movie Parser Filter in quartz.dll in DirectShow, and it could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
CVE-2008-4250 is a buffer overflow vulnerability in Microsoft Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request, and this flaw is over 18 years old.
Adobe Vulnerability Added to KEV
CISA also added CVE-2009-3459 to the KEV catalog, and this is a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader.
The Adobe flaw could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, and this vulnerability is also over 16 years old.
The addition of these older vulnerabilities to the KEV catalog indicates that attackers are still using them, and federal agencies may still have systems vulnerable to these ancient flaws.
Why Old Vulnerabilities Still Matter
The addition of 2008, 2009, and 2010 vulnerabilities to the KEV catalog highlights a persistent problem, many organizations still run outdated software, and attackers know that old vulnerabilities still work on unpatched systems.
A buffer overflow from 2008 should not be exploitable on a properly maintained Windows 10 or Windows 11 system, but many organizations run legacy systems that are no longer supported.
The Microsoft Defender privilege escalation exploited vulnerabilities are current and affect modern systems, but the addition of old vulnerabilities shows that CISA is concerned about all exploited flaws regardless of age.
How to Protect Your Systems
The Microsoft Defender privilege escalation exploited vulnerabilities are under active attack, here is what you need to do:
1. Verify your Defender version. Open Windows Security, go to Settings then About, and check your Antimalware Client Version, if it is below 1.1.26040.8 or 4.18.26040.7, your system is vulnerable.
2. Manually check for updates. Go to Virus and threat protection in Windows Security and click on Protection Updates. Select Check for updates. This forces Defender to download the most current patches.
3. Make sure Defender is on. The exploits for elevating privileges against Microsoft Defender can be done only if there is an instance of Defender installed. Microsoft recommends not turning off Defender.
4. Apply Windows updates. The Defender patches are distributed through Windows Update, ensure your system is receiving updates regularly.
5. For older vulnerabilities, upgrade legacy systems. The 2008-2010 vulnerabilities should not be present on modern Windows versions, if you are running Windows Server 2008 or Windows 7, upgrade immediately.
Final Thoughts
The Microsoft Defender privilege escalation exploited vulnerabilities are serious, and they are being actively used by attackers right now.
The privilege escalation flaw allows an attacker to gain SYSTEM privileges, and the denial-of-service flaw could disable Defender entirely, leaving systems exposed to other malware.
Microsoft has released patches through automatic updates, but users should verify that their Defender version is up to date, and they should check manually if they are unsure.
The Microsoft Defender privilege escalation exploited vulnerabilities join a growing list of actively exploited Microsoft flaws, and the addition of 16-year-old vulnerabilities to the KEV catalog shows that attackers never stop using old tricks.
Check your Defender version today, and do not let an unpatched antivirus become the weak link in your security.
FAQ Section
What is the Microsoft Defender privilege escalation exploited vulnerability?
CVE-2026-41091 is a Microsoft Defender privilege escalation exploited flaw that allows an attacker to gain SYSTEM privileges through improper link resolution before file access, also known as a link following vulnerability.
How do I know if my Microsoft Defender is patched against these vulnerabilities?
Open Windows Security, go to Settings then About, and check your Antimalware Client Version, it should be version 1.1.26040.8 or higher for CVE-2026-41091, and 4.18.26040.7 or higher for CVE-2026-45498.
Do I need to manually install the patch for these Defender vulnerabilities?
No, Microsoft Defender automatically updates malware definitions and the Microsoft Malware Protection Engine, but you should verify that automatic updates are working and check your version manually.
Are systems with Microsoft Defender disabled affected?
No, Microsoft noted that systems which have disabled Microsoft Defender are not susceptible to the Microsoft Defender privilege escalation exploited vulnerabilities, but disabling Defender is not recommended.
What other Microsoft vulnerabilities were added to the CISA KEV catalog?
CISA added CVE-2010-0806, CVE-2010-0249, CVE-2009-1537, and CVE-2008-4250 (all Microsoft flaws from 2008-2010), plus CVE-2009-3459 for Adobe Acrobat and Reader.