Microsoft Issues Emergency Defender Updates for Two Zero-Day Vulnerabilities

Microsoft has begun rolling out security updates for two Microsoft Defender vulnerabilities that have reportedly been exploited in active zero-day attacks.

The first vulnerability, tracked as CVE-2026-41091, is a privilege escalation flaw affecting Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. The Malware Protection Engine is responsible for core antivirus and antispyware functions, including scanning, detection, and threat removal.

According to Microsoft, the issue is caused by improper link resolution before file access, also known as a link-following weakness. Successful exploitation could allow an attacker to elevate privileges and gain SYSTEM-level access on a vulnerable Windows device.

The second vulnerability, tracked as CVE-2026-45498, affects systems running Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. This platform is also used by several Microsoft security products, including System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Microsoft Security Essentials.

Microsoft stated that exploitation of CVE-2026-45498 could allow attackers to trigger a denial-of-service condition on unpatched Windows systems.

To address these vulnerabilities, Microsoft released updated versions of the affected components:

• Malware Protection Engine: version 1.1.26040.8
• Microsoft Defender Antimalware Platform: version 4.18.26040.7

Microsoft noted that most customers should not need to take manual action, as Microsoft antimalware products are configured by default to automatically update malware definitions and the Defender Antimalware Platform.

However, administrators and users are encouraged to verify that automatic updates are enabled and confirm that the latest updates have been installed.

To check for updates manually:

1. Open Windows Security.
2. Select Virus & threat protection.
3. Under Virus & threat protection updates, select Protection updates.
4. Click Check for updates.
5. Go to Settings, then select About.
6. Review the Antimalware Client Version and related version information.

The update is considered successfully installed if the listed Malware Protection Platform version or signature package version matches or exceeds the fixed versions provided by Microsoft.

The U.S. Cybersecurity and Infrastructure Security Agency also added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, confirming that they are being actively exploited in the wild. Federal Civilian Executive Branch agencies have been ordered to secure affected Windows endpoints and servers by June 3, in accordance with Binding Operational Directive 22-01.

CISA warned that vulnerabilities of this type are commonly used by malicious actors and can pose significant risk to enterprise environments. The agency advised organizations to apply Microsoft’s recommended mitigations or discontinue use of the affected products if mitigations are not available.

Microsoft also recently published mitigations for YellowKey, a Windows BitLocker zero-day vulnerability that could allow attackers to access protected drives.