Overview
- Microsoft released fixes on May 21 for two actively exploited Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498.
- CVE-2026-41091 is a link‑following bug in the Malware Protection Engine that can let a local attacker gain SYSTEM privileges, and CVE-2026-45498 is a flaw in the Antimalware Platform that can cause a denial-of-service.
- The company distributed Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7 and says default Defender settings will normally update these components automatically.
- CISA added both flaws to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to patch or mitigate affected systems by June 3 under BOD 22-01.
- Public proof-of-concept code and named BlueHammer variants such as RedSun and UnDefend have been linked to in-the-wild attacks, increasing short-term exploitation risk and prompting security teams to verify version numbers or disable Defender where appropriate.