Overview
- Microsoft began rolling out patched Malware Protection Engine v1.1.26040.8 and Antimalware Platform v4.18.26040.7 on May 20–21 to address the two flaws.
- CVE‑2026‑41091 is a link‑following local privilege escalation rated CVSS 7.8 that can let an attacker gain SYSTEM privileges and CVE‑2026‑45498 is a CVSS 4.0 denial‑of‑service that can stop Defender from running.
- CISA confirmed in‑the‑wild exploitation, added both bugs to its Known Exploited Vulnerabilities catalog, and ordered Federal Civilian Executive Branch agencies to patch or mitigate the issues by June 3 under BOD 22‑01.
- Public proof‑of‑concept exploits published by researcher Nightmare Eclipse and sightings by incident responders have increased weaponization risk, though Microsoft says systems with Defender disabled are not exploitable.
- Administrators should verify the patched engine and platform versions in Windows Security because Defender platform updates can lag behind definitions, and enterprise environments with shared or multiuser systems should prioritize immediate checks and rollouts.