Microsoft has disclosed {that a} privilege escalation and a denial-of-service flaw in Defender has come beneath energetic exploitation within the wild.
The previous, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Profitable exploitation of the flaw might enable an attacker to achieve SYSTEM privileges.
“Improper hyperlink decision earlier than file entry (‘hyperlink following’) in Microsoft Defender permits a certified attacker to raise privileges domestically,” Microsoft stated in an advisory.
The second vulnerability beneath exploitation is CVE-2026-45498 (CVSS rating: 4.0), a denial-of-service bug impacting Defender. The 2 vulnerabilities have been addressed in Microsoft Defender Antimalware Platform variations 1.1.26040.8 and 4.18.26040.7, respectively.
The tech big famous that methods which have disabled Microsoft Defender aren’t vulnerable to the vulnerability, including that no motion is required to put in the replace because it routinely updates malware definitions and the Microsoft Malware Safety Engine for optimum safety.
Microsoft credited 5 totally different events with discovering and reporting the flaw, together with Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an nameless researcher.
To make sure the most recent model of the Microsoft Malware Safety Platform and definition updates are being actively downloaded and put in, customers are beneficial to comply with the steps under:
- Open the Home windows Safety program.
- Within the navigation pane, choose Virus & risk safety.
- Then click on on Safety Updates within the Virus & risk safety part updates.
- Choose Examine for updates.
- Within the navigation pane, choose Settings, after which choose About.
- Study the Antimalware ClientVersion quantity.
There are at the moment no particulars on how the vulnerabilities are being exploited within the wild. The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added each of them to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use the fixes by June 3, 2026.
With the most recent growth, a complete of three Microsoft vulnerabilities have been flagged as exploited inside a span of per week. Final week, Redmond disclosed {that a} cross-site scripting flaw impacting on-premise variations of Alternate Server (CVE-2026-42897, CVSS rating: 8.1) had been weaponized in real-world assaults.
Additionally added to the KEV catalog on Wednesday are 4 different Microsoft flaws from 2008, 2009, and 2010 –
- CVE-2010-0806 – Microsoft Web Explorer accommodates a use-after-free vulnerability that might enable distant attackers to execute arbitrary code.
- CVE-2010-0249 – Microsoft Web Explorer accommodates a use-after-free vulnerability that might enable distant attackers to execute arbitrary code.
- CVE-2009-1537 – Microsoft DirectX accommodates a NULL byte overwrite vulnerability within the QuickTime Film Parser Filter in quartz.dll in DirectShow, which might enable distant attackers to execute arbitrary code by way of a crafted QuickTime media file.
- CVE-2008-4250 – Microsoft Home windows accommodates a buffer overflow vulnerability within the Home windows Server Service that permits distant attackers to execute arbitrary code by way of a crafted RPC request.
One other vulnerability that finds a point out within the listing is CVE-2009-3459, a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader that might enable distant attackers to execute arbitrary code by way of a crafted PDF file that triggers reminiscence corruption.
