Microsoft patches two Defender zero-days under attack
Key insights
- CVE-2026-41091 lets low-privileged attackers reach SYSTEM level through a flaw in Defender's Malware Protection Engine.
- CVE-2026-45498 blocks Defender definition updates, leaving unpatched Windows devices unable to detect newly emerging threats.
- CISA set a June 3, 2026 federal patch deadline and catalogued both CVEs as actively exploited known vulnerabilities.
Why this matters
Security tooling is increasingly the highest-value target for sophisticated attackers because compromising it disables the entire detection layer rather than just a single application. AI-assisted threat detection products built on top of Windows Defender or integrating with the Malware Protection Engine may inherit these vulnerabilities, creating silent blind spots in automated security pipelines that practitioners assume are reliable. For founders and technical leaders deploying AI security products in enterprise or federal environments, these disclosures signal that the trust assumptions baked into host-based security tooling need to be audited, not taken as baseline.
Summary
Microsoft has disclosed two actively exploited zero-day vulnerabilities in Windows Defender, both confirmed in the wild before patches were available. CVE-2026-41091 sits inside the Malware Protection Engine and allows low-privileged attackers to escalate to SYSTEM access through improper link resolution, effectively turning the security tool itself into an attack surface. CVE-2026-45498 is a denial-of-service flaw that cuts off Defender's ability to receive definition updates, leaving unpatched devices blind to new threats even as attackers move.
Essentially: (Microsoft, CISA) are in emergency response mode on the very software meant to stop attacks.
- CVE-2026-41091 grants full SYSTEM privileges to low-privileged local attackers via the Malware Protection Engine.
- CVE-2026-45498 silently blocks Defender definition updates, degrading detection capability without alerting users.
- CISA issued an emergency directive requiring all federal agencies to patch both CVEs by June 3, 2026, and added them to its Known Exploited Vulnerabilities catalog.
When antivirus infrastructure becomes the exploit vector, the patch cycle isn't a routine maintenance event; it's a race against adversaries who have already mapped the gap.
Potential risks and opportunities
Risks
- Federal agencies that miss the June 3, 2026 CISA deadline face compliance violations and potential GAO audit exposure, particularly those running legacy Windows infrastructure with slower patch cycles.
- Enterprises using third-party AI security products that wrap Defender's Malware Protection Engine may remain exposed past Microsoft's patch window if vendors require their own update cycles before distributing the fix.
- CVE-2026-45498's definition-update block creates a window where endpoint detection tools silently fail -- attackers who know a target is unpatched can time campaigns to exploit the blindspot before remediation.
Opportunities
- Endpoint detection vendors with agent architectures independent of the Windows Malware Protection Engine (CrowdStrike, SentinelOne) gain a direct sales argument at enterprises shaken by Defender's dual exposure.
- Patch management and vulnerability prioritization platforms (Tenable, Qualys, Rapid7) can capture budget from federal contractors and enterprises accelerating their response to the CISA June 3 deadline.
- Managed security service providers with federal civilian customer bases can convert the emergency directive into expanded remediation contracts, particularly for agencies lacking in-house patching capacity at scale.
What we don't know yet
- Attribution behind the active exploitation campaigns is not publicly confirmed as of May 21, 2026 -- no threat actor group has been named.
- Whether cloud-hosted or containerized Windows environments running Defender in non-standard configurations are affected on the same timeline as on-premise deployments.
- Whether the Malware Protection Engine flaw in CVE-2026-41091 can be triggered remotely or requires prior local access, which materially changes the exploitability risk profile.
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Microsoft Warns of Two New Defender Zero-Days Actively Exploited in Attacks — CVE-2026-41091 Grants SYSTEM Privileges, CVE-2026-45498 Triggers DoS