- Microsoft patches two actively exploited zero-day flaws in Defender, tracked as CVE-2026-41091 (privilege escalation) and CVE-2026-45498 (denial of service)
- Updates were pushed automatically via Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7, although users are advised to check the versions manually.
- CISA added both bugs to its KEV catalog, giving federal agencies until June 3 to patch or discontinue the vulnerable software.
Microsoft has released patches for two zero-day vulnerabilities affecting its Defender antivirus tool.
In a new security advisory, the company said it fixed a privilege escalation security bug affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, and a denial of service flaw in Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
The first is tracked as CVE-2026-41091 and received a severity score of 7.8/10 (high). Allows malicious actors to escalate privileges locally. The latter is tracked under CVE-2026-45498, with a severity score of 7.5/10 (high).
CISA confirms abuse
To address the vulnerabilities, Microsoft released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, one for each flaw. The company said no action is required on the part of the customer, as Defender receives these updates automatically, under default settings.
Still, since both flaws are being actively abused, it doesn’t hurt to double-check by navigating to the “Virus & Threat Protection” window, then Protection Updates, and then clicking “Check for Updates.” The Antimalware ClientVersion number should show the previous version numbers.
Confirmation that the bugs are being exploited came from the US Cybersecurity and Infrastructure Security Agency (CISA), which recently added them to its catalog of Known Exploited Vulnerabilities (KEV).
When that happens, Federal Civil Executive Branch (FCEB) agencies typically have two weeks to immediately fix or stop using vulnerable software. In this case, agencies have until June 3.
“This type of vulnerability is a frequent attack vector for malicious cyberattacks and poses significant risks to the federal enterprise,” CISA explained. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are not available.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
