Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-41091 | Microsoft Defender | EoP

FieldDetails
VulnerabilityCVE-2026-41091
Affected ProductMicrosoft Malware Protection Engine (the core scanning component of Microsoft Defender, implemented in mpengine.dll). Per NVD’s CPE configuration, vulnerable versions are from (including) 1.1.26030.3008 up to (excluding) 1.1.26040.8. The Malware Protection Engine ships with all current Windows Defender deployments and is shared across Microsoft endpoint protection products.
TypeLocal Elevation of Privilege (EoP) via Link Following. CISA’s KEV catalog entry names this vulnerability “Microsoft Defender Link Following Vulnerability”.
CWECWE-59: Improper Link Resolution Before File Access (‘Link Following’), as assigned by Microsoft Corporation (CNA) and recorded in NVD.
DescriptionPer Microsoft’s advisory and NVD: “Improper link resolution before file access (’link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally.” The Malware Protection Engine performs privileged file operations during its scanning and remediation activities. Because it does not correctly resolve symbolic links, junctions, or other filesystem indirections before performing those operations, an authorized local attacker can plant a link that redirects a privileged Defender file access to an attacker-controlled target, achieving execution as SYSTEM. Microsoft confirmed in-the-wild exploitation at disclosure on May 20, 2026.
SeverityCVSS v3.1: 7.8 HIGH (CNA: Microsoft Corporation), vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H as recorded in NVD. CVSS v4.0: NVD assessment not yet provided at time of writing.
Root CauseThe Microsoft Malware Protection Engine does not safely resolve filesystem links (symbolic links, NTFS junctions, hard links) before performing file operations under its SYSTEM-level execution context. When the engine accesses, opens, or writes to a path that the attacker has converted to a link, the privileged operation follows the link and acts on the link target rather than the intended location, allowing privileged file write/overwrite primitives at attacker-chosen paths. Microsoft has not publicly named the specific Defender operation or mpengine.dll function that performs the unsafe access. Specific vulnerable function not publicly disclosed at time of writing. No public PoC has been released.
Attack VectorLocal (AV:L). Exploitation requires the attacker to already have code execution on the target Windows host in order to place the malicious link and influence Defender’s scanning activity. There is no remote/network delivery vector for this CVE on its own.
Privileges RequiredLow (PR:L). Per Microsoft’s wording — “an authorized attacker” — the attacker must hold at least an authenticated standard user account on the system. No administrative privilege is required prior to exploitation; the bug itself provides the elevation.
User InteractionNone (UI:N) per the NVD CVSS vector. No victim action is needed once the attacker has set up the link primitive — Defender’s own scheduled or triggered scanning activity performs the privileged file access.
ImpactLocal elevation of privilege to NT AUTHORITY\SYSTEM, the highest privilege level on Windows. Per Microsoft’s advisory, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” Downstream, SYSTEM access enables arbitrary code execution, installation of persistent components, modification or disablement of security tooling, credential harvesting from LSASS and the SAM, creation of new privileged accounts, and lateral movement within the enterprise. CVSS shows High Confidentiality, Integrity, and Availability impact (C:H/I:H/A:H).
Why the Bug MattersThe bug lives inside the endpoint protection product itself — the component that DFIR analysts rely on to surface attacker activity. Compromising or neutralizing the security product gives the attacker a tactical advantage twice: first as a privilege escalation primitive, and second by silencing the very telemetry source defenders use to detect post-exploitation. The exploitation pattern follows the well-documented playbook of initial-access-with-limited-privileges + local EoP + SYSTEM control, and because Defender is deployed by default on every modern Windows host, the exposed surface is essentially the entire Windows enterprise estate. The attacker requires only a foothold; the bug provides the climb.
Execution Flow1. Attacker obtains initial low-privilege code execution on the target Windows host (via phishing, browser exploit, credential abuse, or any prior bug). 2. Attacker plants a filesystem link (symbolic link, NTFS junction, or hard link) at a location that Defender’s Malware Protection Engine will access during scanning, quarantine, or remediation. 3. Defender’s Malware Protection Engine performs a privileged file operation on that path (read, write, delete, or quarantine) while running as SYSTEM. 4. Because the engine does not safely resolve the link before the operation, the privileged action is redirected to an attacker-chosen target (typically overwriting or creating a file in a location only SYSTEM can write to). 5. The attacker leverages that write primitive to gain arbitrary code execution as SYSTEM — for example, by overwriting a DLL or scheduled task target that subsequently runs in a SYSTEM context. Step 5 is the standard exploitation pattern for CWE-59 EoP bugs; the exact primitive chain for this specific CVE has not been publicly detailed by Microsoft.
Threat Model / Abuse Scenarios- Post-initial-access escalation in any breach where the attacker has standard user code execution and needs SYSTEM to continue
- Defense neutralization chain — escalate to SYSTEM, then disable or tamper with Defender, EDR, and audit subsystems before further activity
- Ransomware staging — many ransomware operators require SYSTEM for shadow-copy deletion, service stop, and registry modifications
- Insider escalation — a malicious standard user escalates locally without needing to phish or attack network services
- Red-team / commodity malware EoP module — link-following bugs are commonly weaponized into off-the-shelf privilege escalation toolkits given the simple primitive
Detection Opportunities- Microsoft Defender update telemetry: confirm Malware Protection Engine version is ≥ 1.1.26040.8 on every Windows endpoint. The Health Check is Get-MpComputerStatus (PowerShell) — inspect AMEngineVersion.
- EDR / Sysmon process creation telemetry for suspicious child processes spawned by MsMpEng.exe (the Malware Protection Engine service process) — under normal operation, MsMpEng.exe should not spawn arbitrary user binaries.
- Sysmon Event ID 11 (FileCreate) and Event ID 2 (FileCreateTime) for file writes by MsMpEng.exe to non-Defender paths — particularly into \Windows\System32\, \Windows\Tasks\, or user-writable directories that subsequently get executed as SYSTEM.
- Sysmon Event ID 12/13/14 (Registry events) under the HKLM\SYSTEM\CurrentControlSet\Services\ hive and other SYSTEM-only persistence locations, where writes correlate temporally with Defender scan activity.
- Inferred from bug mechanics: filesystem monitoring for creation of symbolic links, junctions, or hard links by non-administrative user processes pointing into paths that Defender scans (e.g., user temp directories, browser cache, mailbox content directories).
High-Value Detection Clues- MsMpEng.exe writing files into protected paths (System32, Windows directories, scheduled task folders) — under normal operation, the engine writes only to its own quarantine and definition stores
- Junction/symlink creation events (fsutil hardlink create, mklink, CreateSymbolicLinkW API calls) from non-administrator processes in paths the engine scans
- Malware Protection Engine version still showing 1.1.26030.3008 (or earlier) on hosts after the May 19, 2026 patch cycle — indicates auto-update failure or offline endpoints
- Defender service crashes, anomalous shutdowns, or sudden tamper-protection state changes in temporal proximity to suspicious user-context activity
- Inferred from bug mechanics: TOCTOU-style file access patterns in Defender’s own ETW provider (Microsoft-Antimalware-Engine, GUID {0A002690-3839-4E3A-B3B6-96D8DF868D99} — distinct from the Microsoft-Antimalware-Service provider {751EF305-6C6E-4FED-B847-02EF79D26AEF}) — repeated OpenFile/CreateFile calls on the same path with intervening attacker activity
Example Hunt Ideas- Across the fleet: query EDR for endpoints reporting AMEngineVersion < 1.1.26040.8 as of May 21, 2026 onward
- In Sysmon data: hunt for MsMpEng.exe with Sysmon Event ID 1 (Process Create) as parent for a non-Microsoft signed child process
- In Sysmon data: hunt for MsMpEng.exe appearing in Event ID 11 (FileCreate) for paths outside C:\ProgramData\Microsoft\Windows Defender\ or C:\Program Files\Windows Defender\
- In Microsoft 365 Defender / MDE advanced hunting (KQL): `DeviceProcessEvents
MitigationUpdate the Microsoft Malware Protection Engine to version 1.1.26040.8 or later. This patch is delivered automatically via Microsoft’s standard malware definition update channel under the default Windows Defender configuration — no separate Windows Update KB is required for the engine itself. Operators must, however, verify the engine update actually landed on every endpoint, because actively exploited zero-days warrant confirmation rather than trust in auto-update. Per fdaytalk.com and Microsoft guidance, verification steps: Windows Security → Virus & threat protectionProtection updates — confirm the engine version. Programmatically: PowerShell Get-MpComputerStatus and read AMEngineVersion. For air-gapped or offline endpoints, the engine update package can be deployed via WSUS or Microsoft’s manual download channel for Defender definitions. No interim mitigation or workaround other than patching has been published by Microsoft.
Solution StatusPatched. Fix delivered in Microsoft Malware Protection Engine version 1.1.26040.8, released May 19, 2026 per multiple secondary sources. Microsoft has not assigned a Windows Update KB number to this engine update — it ships through the antimalware definition channel. The same engine release also addresses CVE-2026-45584 (a Defender RCE) which affects the same engine version range. The companion DoS bug CVE-2026-45498 (also actively exploited, also in CISA KEV) is fixed in Microsoft Defender Antimalware Platform 4.18.26040.7, a separate component.
MITRE ATT&CK MappingATT&CK mapping not publicly established by Microsoft or CISA at time of writing. Inferred from bug mechanics: T1068 Exploitation for Privilege Escalation (direct fit for any CVE that yields local EoP). Post-exploitation chains observed for SYSTEM-level access on Windows typically include T1562.001 Impair Defenses: Disable or Modify Tools (disabling Defender after escalation), T1003 OS Credential Dumping (LSASS/SAM access enabled by SYSTEM), and T1543.003 Create or Modify System Process: Windows Service (SYSTEM persistence). The link-following primitive itself does not have a dedicated ATT&CK technique; CWE-59 abuse is generally captured under T1068.
Limitations / Constraints- Local-only. No remote exploitation vector — the attacker must already have code execution on the target host.
- Requires authenticated user context. Anonymous network attackers cannot exploit this CVE in isolation.
- Affects the Malware Protection Engine, not the Windows kernel. The bug is in mpengine.dll, not in Windows itself — environments running third-party antivirus that has fully replaced Defender (rare in modern Windows 10/11) may not be exposed.
- No public PoC at time of writing, which limits the precision of detection signatures built without controlled testing.
- Patch delivery is silent through definition updates, so the absence of a Windows Update KB does not mean the host is unpatched — verify engine version directly.
References- https://nvd.nist.gov/vuln/detail/CVE-2026-41091
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091
- https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/
- https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html
- https://thecyberexpress.com/cve-2026-41091-cve-2026-45498-cvss-exploit/
- https://cyberpress.org/cisa-exploited-microsoft-defender-0-day/
- https://vulert.com/blog/microsoft-defender-cve-2026-41091-cve-2026-45498/
- https://www.fdaytalk.com/microsoft-defender-zero-day-patch-cve-2026-41091/
- https://purple-ops.io/blog/microsoft-defender-cve-2026-41091