Microsoft has started rolling out fixes for two Microsoft Defender vulnerabilities that were already being exploited in the wild, according to multiple reports. The bugs affect the Microsoft Malware Protection Engine and the Microsoft Defender Antimalware Platform, putting core Windows protection components in the spotlight as attackers abuse them for local privilege escalation and disruption.
The more serious flaw is CVE-2026-41091, an elevation-of-privilege issue tied to improper link resolution before file access, also described as a “link following” weakness. BleepingComputer reported that the bug affects Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, and that successful exploitation could let an attacker gain SYSTEM privileges. Cybersecurity News likewise said the flaw is being actively exploited and that it can allow a local attacker to reach SYSTEM level on affected systems.
The second issue, CVE-2026-45498, affects Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. Microsoft says exploitation can trigger denial-of-service conditions on unpatched Windows devices. Cybersecurity News described the bug as a platform-level weakness that could crash or impair Defender protection, while BleepingComputer said the issue also affects products that reuse the same platform, including System Center Endpoint Protection and Microsoft Security Essentials. There is some variation in how the impact is framed, but both outlets agree it is being actively exploited.
Microsoft has shipped updated versions of the affected components: Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. The company also said customers should not need to take separate manual action in most cases because Defender definitions and platform updates are meant to install automatically. Even so, both BleepingComputer and Cybersecurity News said administrators should verify that the expected versions have actually been applied.
CISA also moved quickly, adding both vulnerabilities to its Known Exploited Vulnerabilities catalog and ordering Federal Civilian Executive Branch agencies to remediate them by June 3 under Binding Operational Directive 22-01, BleepingComputer reported. Cybersecurity News noted that the flaws were publicly disclosed on May 19 and that Microsoft’s exploitability assessment shows “Exploitation Detected,” underscoring that the attacks are not theoretical. For defenders, the immediate concern is that a security tool designed to block malware is now itself part of the attack surface.