Microsoft Patches Two Actively Exploited Defender Zero-Days on Windows

Microsoft has released emergency security updates for two actively exploited zero-day vulnerabilities affecting Microsoft Defender components on Windows systems. The patches started rolling out on Wednesday, and both flaws are already under active exploitation.

The two vulnerabilities impact the Microsoft Malware Protection Engine and the Microsoft Defender Antimalware Platform. One of the flaws can allow attackers to gain SYSTEM privileges, while the other can trigger denial-of-service conditions on unpatched devices.

CVE-2026-41091 allows SYSTEM privilege escalation

The first vulnerability is tracked as CVE-2026-41091. It affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier.

According to Microsoft, the flaw is caused by improper link resolution before file access. Attackers who successfully exploit the issue can gain SYSTEM-level privileges on affected systems.

Microsoft fixed the vulnerability in Malware Protection Engine version 1.1.26040.8.

Because Microsoft Defender runs with elevated permissions on Windows systems, successful exploitation could give attackers broad control over compromised devices.

CVE-2026-45498 can crash unpatched systems

The second vulnerability is tracked as CVE-2026-45498 and affects Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier.

Microsoft says the flaw can let attackers trigger denial-of-service states on vulnerable Windows devices. The affected antimalware platform is also used by Microsoft Security Essentials and System Center Endpoint Protection.

The issue was fixed in Antimalware Platform version 4.18.26040.7.

While the flaw does not directly enable remote code execution, denial-of-service vulnerabilities can still disrupt enterprise systems and security operations if exploited at scale.

Microsoft says updates should install automatically

Microsoft says most consumer and enterprise systems should receive the fixes automatically through normal Defender security updates.

Users should still verify that Defender platform updates and malware definitions install correctly. Microsoft recommends checking update status through the Windows Security app under Virus & threat protection and Protection updates.

Installed Defender platform versions can also be checked from Windows Security under Settings and About.

CISA adds both flaws to exploited vulnerabilities list

The U.S. Cybersecurity and Infrastructure Security Agency has added both Defender vulnerabilities to its Known Exploited Vulnerabilities catalog.

Federal agencies must secure affected systems by June 3 under current remediation requirements.

CISA warned that attackers commonly exploit these types of security flaws in real-world attacks, especially when security software runs with elevated privileges.

The Defender zero-days arrive amid a busy week for Microsoft security news. GitHub recently confirmed that its internal repository breach was linked to the wider TanStack supply-chain attack campaign. Microsoft is also investigating the YellowKey exploit and warned that the Storm-2949 threat group is actively targeting Microsoft 365 and Azure environments to steal sensitive data.

Via Bleeping Computer