Microsoft began rolling out security updates for two exploited Microsoft Defender zero-days, CVE-2026-41091 and CVE-2026-45498, describing both as privilege-escalation and denial-of-service risks. The updates include fixes in Malware Protection Engine versions
By Wednesday, Microsoft was already in patch-release mode—because two Microsoft Defender vulnerabilities are being used in real attacks, not test environments.
Microsoft started rolling out security patches for two Defender vulnerabilities exploited as zero-days. The first is tracked as CVE-2026-41091, a privilege escalation flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier. That engine sits underneath Microsoft antivirus and antispyware, providing scanning, detection, and cleaning capabilities.
Microsoft said the bug comes from an improper link resolution before file access—an issue it describes as a weakness around following links. With successful exploitation, attackers can gain SYSTEM privileges.
The second vulnerability is CVE-2026-45498. It affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. which is also used by Microsoft’s System Center Endpoint Protection. System Center 2012 R2 Endpoint Protection. System Center 2012 Endpoint Protection. and Security Essentials.
In Microsoft’s account of what happens next, successful exploitation allows threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
To address both flaws, Microsoft released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7. The company added that customers shouldn’t need to take action because the default configuration in Microsoft antimalware software helps keep malware definitions and the Windows Defender Antimalware Platform up to date automatically.
Still, Microsoft’s guidance asks users to confirm that the update landed.
The steps begin inside Windows Security. Users should open the Windows Security program—typing “Security” in the Search bar and selecting Windows Security. From there, they should go to Virus & threat protection, then click Protection Updates. Next is “Check for updates.” In the navigation pane, users should open Settings and then select About.
At that point, Microsoft says to examine the Antimalware ClientVersion number. The update is considered successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number they are verifying as installed.
The urgency didn’t stay within corporate IT teams.
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to secure their Windows systems against both Microsoft Defender zero-day vulnerabilities. warning that they were actively exploited in the wild. CISA added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
Through Binding Operational Directive (BOD) 22-01, CISA required Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks—by June 3.
CISA framed the risk plainly: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” It also instructed agencies to apply mitigations per vendor instructions. follow applicable BOD 22-01 guidance for cloud services. or discontinue use of the product if mitigations are unavailable.
The clock is already ticking for administrators because Microsoft’s patches are the direct fix for CVE-2026-41091 and CVE-2026-45498—and CISA is treating both as urgent enough to make compliance time-bound.
Microsoft Defender zero-day CVE-2026-41091 CVE-2026-45498 CISA KEV Catalog Windows Security Malware Protection Engine Antimalware Platform SYSTEM privileges denial-of-service