Two Microsoft Defender vulnerabilities are being actively exploited in the wild.
On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added a notable set of actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog tracks vulnerabilities known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.
Five of the added vulnerabilities are quite old by vulnerability standards. Patches were released in 2008, 2009, and 2010. But the Microsoft Defender vulnerabilities are from this year. Those two are:
- CVE‑2026‑41091 (CVSS score 7.8 out of 10): a Microsoft Defender elevation of privilege vulnerability. A local attacker who already has some access to a machine can abuse Defender to gain SYSTEM‑level permissions, effectively giving them full control over Windows.
- CVE‑2026‑45498 (CVSS score 4.0 out of 10): a Microsoft Defender denial‑of‑service vulnerability. Here, an attacker can interfere with Defender in a way that disrupts its normal operation. If attackers can crash or disable your antivirus engine on demand, they can create a safer environment for their malware to run undetected.
You should take patching these vulnerabilities seriously if:
- You rely on Microsoft Defender as your primary endpoint protection
- You manage Windows systems in a business, school, or local government environment
- You have shared machines, terminal servers, or any environment where multiple users log on to the same system
As you’d expect from us, we don’t advise relying on Windows Defender alone. There are better options available, and they are not mutually exclusive.
How to patch
Security products are software, and software has bugs. When those bugs end up in a list of known exploited vulnerabilities, ignoring them is like leaving your front door open because “the alarm will catch anyone coming in.”
Make sure Windows Update is enabled and set to receive updates for Microsoft products. Defender platform updates are often delivered alongside regular cumulative updates.
Also check that recent Microsoft Defender security intelligence and platform updates are installed.
The first version of the Microsoft Defender Antimalware Platform with these vulnerabilities addressed is 4.18.26040.7.
You can usually find that version number in Windows Security:
- Open Start and search for Windows Security
- Go to Virus & threat protection
- Click Settings or the gear icon
- Open About
Even with auto-update enabled, I didn’t receive this patch immediately. Defender platform updates can lag behind definitions or only appear when a cumulative Windows update lands. Microsoft typically releases updates for the Microsoft Defender Antimalware Platform once a month, or as needed to protect against new threats.
So, I’ll have to wait. Good thing I’m protected.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
