Microsoft has confirmed active exploitation of two security vulnerabilities in its security ecosystem, identified as CVE-2026-41091 and CVE-2026-45498, both evaluated under the CVSS scoring system. The issues affect Microsoft Defender and have raised concerns due to confirmed in-the-wild exploitation and potential impact on enterprise systems.
The first issue, CVE-2026-41091 (CVSS 7.8), is a privilege escalation vulnerability affecting Microsoft Defender. If successfully exploited, it could allow a local attacker to obtain SYSTEM-level privileges. The flaw is rooted in improper link resolution before file access, commonly described as a “link following” issue.
Microsoft stated in its advisory:
“Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally,”
The second vulnerability, CVE-2026-45498 (CVSS 4.0), is a denial-of-service flaw impacting Microsoft Defender. While rated lower in severity under the CVSS framework, it has still been confirmed as actively exploited in real-world environments alongside CVE-2026-41091.
Both vulnerabilities have been addressed in updated releases of the Microsoft Defender Antimalware Platform, specifically versions 1.1.26040.8 and 4.18.26040.7, respectively.
CVE-2026-41091, CVE-2026-45498, and CVSS Context
Although Microsoft has not explicitly confirmed the link, the behavior associated with CVE-2026-41091 and CVE-2026-45498 overlaps with earlier publicly discussed issues named RedSun and UnDefend, which were disclosed by the threat research group Chaotic Eclipse (also known as Nightmare-Eclipse).
Security researchers from Huntress have reported active exploitation of both CVE-2026-41091 and CVE-2026-45498 in the wild. These observations also include exploitation activity related to BlueHammer (CVE-2026-33825), suggesting a broader campaign targeting Microsoft Defender components and adjacent security mechanisms.
Additional Security Findings
Alongside the two actively exploited vulnerabilities CVE-2026-41091 and CVE-2026-45498, Microsoft also patched another flaw in the same Defender update cycle: CVE-2026-45584 (CVSS 8.1). This vulnerability is a heap-based buffer overflow that could allow remote code execution if exploited. Unlike CVE-2026-41091 and CVE-2026-45498, there is currently no evidence that CVE-2026-45584 has been used in active attacks.
Microsoft Defender systems that have been disabled are not affected by these vulnerabilities, according to the company. Microsoft also noted that no manual intervention is required for most users, as updates are delivered automatically through malware definition updates and the Microsoft Malware Protection Engine.
CVSS Updates and Security Guidance
To verify protection status against CVE-2026-41091 and CVE-2026-45498, Microsoft recommends users check their Microsoft Defender configuration using the Windows Security interface (Microsoft Windows Security). The recommended steps include navigating to Virus & threat protection, checking protection updates, and verifying the Antimalware Client Version.
Microsoft credited five researchers for identifying CVE-2026-41091, including Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an anonymous contributor.
CISA KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) (Cybersecurity and Infrastructure Security Agency) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by June 3, 2026, reflecting the urgency of addressing CVSS-rated threats that are already being exploited.
With this addition, three Microsoft vulnerabilities have been flagged as actively exploited within a single week, highlighting a concentrated wave of CVE-based attacks targeting Microsoft products.
Legacy Vulnerabilities
CISA’s KEV catalog update also included several older but still relevant vulnerabilities:
- CVE-2010-0806: Internet Explorer use-after-free flaw enabling remote code execution
- CVE-2010-0249: Another Internet Explorer use-after-free vulnerability allowing arbitrary code execution
- CVE-2009-1537: DirectX issue in QuickTime Movie Parser Filter via crafted media files
- CVE-2008-4250: Windows Server Service buffer overflow via crafted RPC request
- CVE-2009-3459: Adobe Acrobat and Reader heap-based buffer overflow via malicious PDF files
These legacy issues demonstrate that exploitation of older software remains relevant in modern threat landscapes, especially when combined with newer vulnerabilities like CVE-2026-41091 and CVE-2026-45498, both evaluated using CVSS metrics.
