**Microsoft** has disclosed active exploitation of a privilege escalation and a denial-of-service flaw in **Defender**. ### Privilege Escalation: CVE-2026-41091 The privilege escalation vulnerability, tracked as **CVE-2026-41091**, carries a CVSS score of 7.8. Successful exploitation could allow an attacker to gain SYSTEM privileges. "Improper link resolution before file access ('link following') in **Microsoft Defender** allows an authorized attacker to elevate privileges locally," **Microsoft** stated in its advisory. ### Denial-of-Service: CVE-2026-45498 The second actively exploited vulnerability is **CVE-2026-45498** (CVSS score: 4.0), a denial-of-service bug affecting **Defender**. Both vulnerabilities have been patched in **Microsoft Defender** Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively. ### Overlap with Previously Disclosed Zero-Days While not officially confirmed by **Microsoft**, the descriptions of **CVE-2026-41091** and **CVE-2026-45498** align with **RedSun** and **UnDefend**, two **Defender** zero-days previously disclosed by Chaotic Eclipse (aka Nightmare-Eclipse). **Huntress** has also observed exploitation of these vulnerabilities, alongside **BlueHammer** (CVE-2026-33825). ### Remote Code Execution: CVE-2026-45584 Version 1.1.26040.8 also addresses **CVE-2026-45584** (CVSS score: 8.1), a heap-based buffer overflow vulnerability in **Defender**. An unauthorized attacker could exploit this to achieve remote code execution, although there's no current evidence of in-the-wild exploitation. ### Mitigation and Updates **Microsoft** has stated that systems with **Microsoft Defender** disabled are not susceptible. The update process is automatic, ensuring optimal protection through updated malware definitions and the **Microsoft** Malware Protection Engine. **Microsoft** credited five parties for discovering and reporting **CVE-2026-41091**: Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous researcher. ### Verifying Update Installation To ensure the latest version of the **Microsoft** Malware Protection Platform and definition updates are installed, follow these steps: 1. Open the **Windows Security** program. 2. In the navigation pane, select **Virus & threat protection**. 3. Click on **Protection Updates** in the Virus & threat protection section. 4. Select **Check for updates**. 5. In the navigation pane, select **Settings**, and then select **About**. 6. Examine the **Antimalware ClientVersion** number. ### CISA Adds Vulnerabilities to KEV Catalog The U.S. **Cybersecurity and Infrastructure Security Agency (CISA)** has added both **CVE-2026-41091** and **CVE-2026-45498** to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply fixes by June 3, 2026. ### Other Recent Microsoft Vulnerabilities These **Defender** flaws are the latest in a series of recent **Microsoft** vulnerability disclosures. Last week, **Microsoft** warned of a cross-site scripting flaw (CVE-2026-42897, CVSS score: 8.1) impacting on-premise versions of **Exchange Server** that was being actively exploited. ### Additional Vulnerabilities Added to KEV Catalog On Wednesday, **CISA** also added the following older **Microsoft** flaws to the KEV catalog: * **CVE-2010-0806** - **Microsoft Internet Explorer** use-after-free vulnerability. * **CVE-2010-0249** - **Microsoft Internet Explorer** use-after-free vulnerability. * **CVE-2009-1537** - **Microsoft DirectX** NULL byte overwrite vulnerability. * **CVE-2008-4250** - **Microsoft Windows** Server Service buffer overflow vulnerability. Additionally, **CVE-2009-3459**, a heap-based buffer overflow vulnerability in **Adobe Acrobat** and **Reader**, was also added to the KEV catalog.