CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Microsoft patches two zero-day flaws in Defender

CSO Online Archived May 22, 2026 ✓ Full text saved

Microsoft released emergency fixes for two zero-day vulnerabilities in the malware protection components of Microsoft Defender. The flaws allow local attackers to gain system-level privileges or cause the anti-malware service to stop working correctly. Both conditions are valuable in a malware attack, first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system. On Wednesday, the United States Cybersecurity and Infrastructu

Full text archived locally
✦ AI Summary · Claude Sonnet


    CISA has added the Microsoft Malware Protection Engine and Microsoft Defender Antimalware Platform vulnerabilities to its KEV catalog, suggesting exploitation in the wild. Credit: Bernard Hermant / Unsplash Microsoft released emergency fixes for two zero-day vulnerabilities in the malware protection components of Microsoft Defender. The flaws allow local attackers to gain system-level privileges or cause the anti-malware service to stop working correctly. Both conditions are valuable in a malware attack, first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system. On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild. Security experts report that the two flaws are behind the RedSun and UnDefend exploits published last month on GitHub by a disgruntled researcher who calls themselves Nightmare Eclipse. While plausible, Microsoft has not mentioned those exploit names in its advisories for these two vulnerabilities. The privilege escalation flaw, CVE-2026-41091, is located in mpengine.dll, the Microsoft Malware Protection Engine (MPE) component that handles file scanning, malware detection, and cleaning in several Microsoft anti-malware products: Microsoft Defender, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection, and Microsoft Security Essentials. The vulnerability is described as an improper link resolution before file access issue. In other words, it’s related to a link- or shortcut-following routine that has unintended consequences. The flaw is rated with a CVSS score of 7.8, meaning high severity. The other vulnerability, CVE-2026-45498, is in the Microsoft Defender Antimalware Platform (MsMpEng.exe), which along with a series of kernel-mode drivers, is responsible for real-time monitoring and protection. As with MPE, this component is used by Microsoft’s other endpoint protection products. Although Microsoft issues updates for malware definitions three times per day, platform components such as mpengine.dll and MsMpEng.exe are updated only once per month or as needed. Customers are advised to manually trigger a check for updates in their respective product and check that they are running version 1.1.26040.8 or newer of the Malware Protection Engine and version 4.18.26040.7 or newer of the Microsoft Defender Antimalware Platform. The Malware Protection Engine update also fixes a remote code execution vulnerability tracked as CVE-2026-45584, but this flaw has not been publicly disclosed or exploited. Windows Security Endpoint Protection Security Zero-Day Vulnerabilities Vulnerabilities
    💬 Team Notes
    Article Info
    Source
    CSO Online
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗