Vulnerability-Lookup

CVE-2026-41091 (GCVE-0-2026-41091)

Vulnerability from cvelistv5 – Published: 2026-05-20 13:09 – Updated: 2026-05-26 16:57

CISA KEV

Title

Microsoft Defender Elevation of Privilege Vulnerability

Summary

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Microsoft Malware Protection Engine	Affected: 1.1.0.0 , < 1.1.26040.8 (custom)

Date Public

2026-05-19 14:00

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 585a485a-b1a5-49e8-8e94-9e2a71a3efb4

Vulnerability ID: CVE-2026-41091

Status: Confirmed

Status Updated: 2026-05-20 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2026-05-20

Asserted: 2026-05-20

Scope

Notes: KEV entry: Microsoft Defender Link Following Vulnerability | Affected: Microsoft / Defender | Description: Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-06-03 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41091

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-59
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Defender
Due Date	2026-06-03
Date Added	2026-05-20
Vendorproject	Microsoft
Vulnerabilityname	Microsoft Defender Link Following Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2026-41091

Created: 2026-05-20 18:00 UTC | Updated: 2026-05-20 18:00 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41091",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-05-20",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-21T03:55:23.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-20T00:00:00.000Z",
            "value": "CVE-2026-41091 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Malware Protection Engine",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.1.26040.8",
              "status": "affected",
              "version": "1.1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.1.26040.8",
                  "versionStartIncluding": "1.1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-05-19T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Defender allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T16:57:25.941Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Defender Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
        }
      ],
      "title": "Microsoft Defender Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-41091",
    "datePublished": "2026-05-20T13:09:13.634Z",
    "dateReserved": "2026-04-16T19:12:36.195Z",
    "dateUpdated": "2026-05-26T16:57:25.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2026-41091",
      "cwes": "[\"CWE-59\"]",
      "dateAdded": "2026-05-20",
      "dueDate": "2026-06-03",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41091",
      "product": "Defender",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Defender Link Following Vulnerability"
    },
    "epss": {
      "cve": "CVE-2026-41091",
      "date": "2026-05-30",
      "epss": "0.06978",
      "percentile": "0.91583"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41091\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2026-05-20T13:16:29.173\",\"lastModified\":\"2026-05-20T19:06:36.850\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper link resolution before file access (\u0027link following\u0027) in Microsoft Defender allows an authorized attacker to elevate privileges locally.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-05-20\",\"cisaActionDue\":\"2026-06-03\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Microsoft Defender Link Following Vulnerability\",\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.26030.3008\",\"versionEndExcluding\":\"1.1.26040.8\",\"matchCriteriaId\":\"AD1882FA-1447-46F7-A592-142F55820A60\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41091\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-20T17:12:43.312897Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-05-20\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-20T17:13:03.067Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-20T00:00:00.000Z\", \"value\": \"CVE-2026-41091 added to CISA KEV\"}]}], \"cna\": {\"title\": \"Microsoft Defender Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Microsoft Malware Protection Engine\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.1.0.0\", \"lessThan\": \"1.1.26040.8\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2026-05-19T14:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091\", \"name\": \"Microsoft Defender Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Improper link resolution before file access (\u0027link following\u0027) in Microsoft Defender allows an authorized attacker to elevate privileges locally.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.1.26040.8\", \"versionStartIncluding\": \"1.1.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2026-05-26T16:57:25.941Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41091\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-26T16:57:25.941Z\", \"dateReserved\": \"2026-04-16T19:12:36.195Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2026-05-20T13:09:13.634Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0623

Vulnerability from certfr_avis - Published: 2026-05-20 - Updated: 2026-05-21

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service.

Microsoft indique que les vulnérabilités CVE-2026-41091 et CVE-2026-45498 sont activement exploitées.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Microsoft	N/A	azl3 kernel-hwe 6.12.0.0-1 versions antérieures à 6.12.89.1-1
Microsoft	N/A	azl3 python-urllib3 2.0.7-4 versions antérieures à 2.0.7-5
Microsoft	N/A	Microsoft Malware Protection Engine
Microsoft	N/A	azl3 vim 9.2.0392-1 versions antérieures à 9.2.0488-1
Microsoft	N/A	azl3 kernel 6.6.138.1-1
Microsoft	N/A	azl3 openvswitch 3.3.0-2 versions antérieures à 3.3.0-3
Microsoft	N/A	Microsoft Defender Antimalware Platform

References

Title

Publication Time

FKIE_CVE-2026-41091

Vulnerability from fkie_nvd - Published: 2026-05-20 13:16 - Updated: 2026-05-20 19:06

CISA KEV

Severity

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

References

	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091	Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091	US Government Resource, Third Party Advisory

Impacted products

	Vendor	Product	Version
	microsoft	malware_protection_engine	*

JSON

To clipboard

{
  "cisaActionDue": "2026-06-03",
  "cisaExploitAdd": "2026-05-20",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Microsoft Defender Link Following Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD1882FA-1447-46F7-A592-142F55820A60",
              "versionEndExcluding": "1.1.26040.8",
              "versionStartIncluding": "1.1.26030.3008",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Defender allows an authorized attacker to elevate privileges locally."
    }
  ],
  "id": "CVE-2026-41091",
  "lastModified": "2026-05-20T19:06:36.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-20T13:16:29.173",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource",
        "Third Party Advisory"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Secondary"
    }
  ]
}

GHSA-H776-J9JW-992P

Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-05-20 18:31

Details

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Severity

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-41091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T13:16:29Z",
    "severity": "HIGH"
  },
  "details": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Defender allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-h776-j9jw-992p",
  "modified": "2026-05-20T18:31:34Z",
  "published": "2026-05-20T15:35:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41091"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

MSRC_CVE-2026-41091

Vulnerability from csaf_microsoft - Published: 2026-05-12 07:00 - Updated: 2026-05-26 07:00

Summary

Microsoft Defender Elevation of Privilege Vulnerability

Severity

Important

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action: Required. The vulnerability documented by this CVE requires customer action to resolve.

CVE-2026-41091

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Microsoft Malware Protection Engine 1.1.26040.8 Microsoft Malware Protection Engine		1.1.26040.8

Known affected 1 product

Product	Identifier	Version	Remediation
Microsoft Malware Protection Engine <1.1.26040.8 Microsoft Malware Protection Engine		<1.1.26040.8	Vendor Fix fix

Threats

Impact Elevation of Privilege

Exploit Status Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected

References

7 references

URL	Category
https://msrc.microsoft.com/update-guide/vulnerabi…	self
https://msrc.microsoft.com/csaf/advisories/2026/m…	self
https://www.microsoft.com/en-us/msrc/exploitabili…	external
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/update-guide/vulnerabi…	self
https://msrc.microsoft.com/csaf/advisories/2026/m…	self

Acknowledgments

<a href="https://github.com/void2012 "> Damir Moldovanov </a>

<a href="https://www.linkedin.com/in/andrewcdorman">ACD421</a> with Hollow Point Labs

Anonymous

Diffract

<a href="https://x.com/sibusisosishi">Sibusiso</a> with <a href="https://www.ironsky.co.za/">Ironsky</a>

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "\u003ca href=\"https://github.com/void2012 \"\u003e Damir Moldovanov \u003c/a\u003e"
        ]
      },
      {
        "names": [
          "\u003ca href=\"https://www.linkedin.com/in/andrewcdorman\"\u003eACD421\u003c/a\u003e with Hollow Point Labs"
        ]
      },
      {
        "names": [
          "\u003ca href=\"https://www.linkedin.com/in/andrewcdorman\"\u003eACD421\u003c/a\u003e with Hollow Point Labs"
        ]
      },
      {
        "names": [
          "Anonymous"
        ]
      },
      {
        "names": [
          "Diffract"
        ]
      },
      {
        "names": [
          "\u003ca href=\"https://x.com/sibusisosishi\"\u003eSibusiso\u003c/a\u003e with \u003ca href=\"https://www.ironsky.co.za/\"\u003eIronsky\u003c/a\u003e"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
      },
      {
        "category": "self",
        "summary": "CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-41091.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Defender Elevation of Privilege Vulnerability",
    "tracking": {
      "current_release_date": "2026-05-26T07:00:00.000Z",
      "generator": {
        "date": "2026-05-26T16:55:49.517Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-41091",
      "initial_release_date": "2026-05-12T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-19T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-05-26T07:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "In the Security Updates table, added links to the Release Notes. This is an informational change only."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c1.1.26040.8",
            "product": {
              "name": "Microsoft Malware Protection Engine \u003c1.1.26040.8",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "1.1.26040.8",
            "product": {
              "name": "Microsoft Malware Protection Engine 1.1.26040.8",
              "product_id": "11902"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Malware Protection Engine"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41091",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.",
          "title": "What privileges could be gained by an attacker who successfully exploited this vulnerability?"
        },
        {
          "category": "faq",
          "text": "Last version of the Microsoft Malware Protection Engine affected by this vulnerability: Last version of the Microsoft Malware Protection Engine affected by this vulnerability, 1.1.26030.3008: 1.1.26030.3008, First version of the Microsoft Malware Protection Engine with this vulnerability addressed: First version of the Microsoft Malware Protection Engine with this vulnerability addressed, Version 1.1.26040.8: Version 1.1.26040.8\nSee Manage Updates Baselines Microsoft Defender Antivirus for more information.\nVulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.\nIn response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.\nFor enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.\nBest practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.\nMicrosoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.\nDepending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.\nThe Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.\nDefender runs on all supported version of Windows.\nYes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.\nYes.\u00a0 In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.",
          "title": "Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?"
        }
      ],
      "product_status": {
        "fixed": [
          "11902"
        ],
        "known_affected": [
          "1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
        },
        {
          "category": "self",
          "summary": "CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-41091.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T07:00:00.000Z",
          "details": "1.1.26040.8:Security Update:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide",
          "product_ids": [
            "1"
          ],
          "url": "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 6.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Elevation of Privilege"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected"
        }
      ],
      "title": "Microsoft Defender Elevation of Privilege Vulnerability"
    }
  ]
}

WID-SEC-W-2026-1603

Vulnerability from csaf_certbund - Published: 2026-05-19 22:00 - Updated: 2026-05-20 22:00

Summary

Microsoft Defender und Malware Protection Engine: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Microsoft Defender ist eine Software zur Erkennung von schädlicher Software (Malware). Die Malware Protection Engine ist Bestandteil verschiedener Sicherheitsprodukte von Microsoft und stellt selbigen das Scannen sowie Erkennen und Entfernen von Schadprogrammen zur Verfügung.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Microsoft Defender und Microsoft Malware Protection Engine ausnutzen, um seine Privilegien zu erhöhen, um beliebigen Code auszuführen und um einen Denial of Service Zustand herbeizuführen.

Betroffene Betriebssysteme: - Windows

CVE-2026-41091

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Microsoft Malware Protection Engine <1.1.26040.8 Microsoft / Malware Protection Engine		<1.1.26040.8

CVE-2026-45498

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Microsoft Defender Antimalware Platform <4.18.26040.7 Microsoft / Defender		Antimalware Platform <4.18.26040.7

CVE-2026-45584

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Microsoft Malware Protection Engine <1.1.26040.8 Microsoft / Malware Protection Engine		<1.1.26040.8
Microsoft Defender Antimalware Platform <4.18.26040.7 Microsoft / Defender		Antimalware Platform <4.18.26040.7

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://msrc.microsoft.com/update-guide/	external
https://msrc.microsoft.com/update-guide/vulnerabi…	external
https://msrc.microsoft.com/update-guide/vulnerabi…	external
https://msrc.microsoft.com/update-guide/vulnerabi…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft Defender ist eine Software zur Erkennung von sch\u00e4dlicher Software (Malware).\r\nDie Malware Protection Engine ist Bestandteil verschiedener Sicherheitsprodukte von Microsoft und stellt selbigen das Scannen sowie Erkennen und Entfernen von Schadprogrammen zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Defender und Microsoft Malware Protection Engine ausnutzen, um seine Privilegien zu erh\u00f6hen, um beliebigen Code auszuf\u00fchren und um einen Denial of Service Zustand herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1603 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1603.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1603 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1603"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2026-05-19",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "Microsoft CVE-2026-45498 vom 2026-05-19",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498"
      },
      {
        "category": "external",
        "summary": "Microsoft CVE-2026-41091 vom 2026-05-19",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091"
      },
      {
        "category": "external",
        "summary": "Microsoft CVE-2026-45584 vom 2026-05-19",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Defender und Malware Protection Engine: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:35:37.903+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1603",
      "initial_release_date": "2026-05-19T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-31105, EUVD-2026-31101, EUVD-2026-31102"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Antimalware Platform \u003c4.18.26040.7",
                "product": {
                  "name": "Microsoft Defender Antimalware Platform \u003c4.18.26040.7",
                  "product_id": "T054345"
                }
              },
              {
                "category": "product_version",
                "name": "Antimalware Platform 4.18.26040.7",
                "product": {
                  "name": "Microsoft Defender Antimalware Platform 4.18.26040.7",
                  "product_id": "T054345-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:defender:4.18.26040.7::antimalware_platform"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Defender"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.1.26040.8",
                "product": {
                  "name": "Microsoft Malware Protection Engine \u003c1.1.26040.8",
                  "product_id": "T054347"
                }
              },
              {
                "category": "product_version",
                "name": "1.1.26040.8",
                "product": {
                  "name": "Microsoft Malware Protection Engine 1.1.26040.8",
                  "product_id": "T054347-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:malware_protection_engine:1.1.26040.8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Malware Protection Engine"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41091",
      "product_status": {
        "known_affected": [
          "T054347"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-41091"
    },
    {
      "cve": "CVE-2026-45498",
      "product_status": {
        "known_affected": [
          "T054345"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-45498"
    },
    {
      "cve": "CVE-2026-45584",
      "product_status": {
        "known_affected": [
          "T054347",
          "T054345"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-45584"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41091 (GCVE-0-2026-41091)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

CERTFR-2026-AVI-0623

Solutions

FKIE_CVE-2026-41091

GHSA-H776-J9JW-992P

MSRC_CVE-2026-41091

WID-SEC-W-2026-1603

Tags

Sightings

Nomenclature