Microsoft has revealed that two security weaknesses in Defender a privilege escalation issue and a denial‑of‑service flaw are currently being actively exploited in real‑world attacks.
The first vulnerability, identified as CVE‑2026‑41091, carries a CVSS score of 7.8. If successfully exploited, it could enable an attacker to obtain SYSTEM‑level access. Microsoft explained that the issue stems from improper link resolution prior to file access (commonly called “link following”), which could allow a locally authorized user to elevate their privileges.
The second flaw, tracked as CVE‑2026‑45498 and rated 4.0 on the CVSS scale, affects Defender by enabling denial‑of‑service conditions.
Microsoft has resolved both issues in updated versions of its Defender Antimalware Platform, specifically versions 1.1.26040.8 and 4.18.26040.7. The company noted that systems where Microsoft Defender is disabled are not affected. It also emphasized that users typically do not need to take manual action, as updates to malware definitions and the Microsoft Malware Protection Engine are delivered automatically to maintain security.
Credit for discovering and reporting the vulnerabilities goes to five contributors: Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an unnamed researcher.
To confirm their systems are up to date, users can:
- Open Windows Security
- Navigate to Virus & threat protection
- Select Protection updates and check for updates
- Go to Settings > About
- Review the Antimalware Client Version number
At this time, Microsoft has not disclosed details on how these vulnerabilities are being exploited in active attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply the necessary patches by June 3, 2026.
With these disclosures, three Microsoft vulnerabilities have been confirmed as actively exploited within a single week. Earlier, Microsoft reported that a cross‑site scripting vulnerability in on‑premises Exchange Server (CVE‑2026‑42897, CVSS 8.1) was being used in the wild.
Additionally, CISA has recently included several older Microsoft vulnerabilities dating back to 2008 through 2010 in its KEV catalog:
- CVE‑2010‑0806 and CVE‑2010‑0249: Use‑after‑free flaws in Internet Explorer that could enable remote code execution
- CVE‑2009‑1537: A DirectX issue involving a NULL byte overwrite that could allow malicious QuickTime files to execute arbitrary code
- CVE‑2008‑4250: A buffer overflow vulnerability in the Windows Server service exploitable via crafted RPC requests
Also listed is CVE‑2009‑3459, a heap‑based buffer overflow vulnerability in Adobe Acrobat and Reader that could be triggered by a specially crafted PDF, potentially leading to remote code execution.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
