Elevation of Privilege Vulnerability in Microsoft Defender
CVE-2026-41091
Key Information:
- Vendor
Microsoft
- Vendor
- CVE Published:
- 20 May 2026
Badges
What is CVE-2026-41091?
CVE-2026-41091 is a vulnerability affecting Microsoft Defender, a security product designed to provide protection against malware and various cyber threats for Windows operating systems. This specific vulnerability arises from improper link resolution prior to file access, a flaw known as 'link following.' If exploited, it enables an authorized attacker to elevate their privileges locally, potentially granting them unauthorized access to sensitive parts of the system. This type of elevation of privilege can be especially concerning in enterprise environments, where security is paramount and sensitive information may be at stake. The technical implications of this vulnerability mean that attackers with some level of access could leverage it to gain escalated control, putting organizations at significant risk.
Potential impact of CVE-2026-41091
-
Unauthorized Access: The vulnerability allows attackers to escalate their privileges, which can lead to unauthorized access to critical system resources and sensitive data. This can compromise both operational integrity and data confidentiality within an organization.
-
Increased Risk of Data Breaches: With elevated privileges, attackers may be able to manipulate, exfiltrate, or delete sensitive data, significantly increasing the risk of data breaches. This can result in financial and reputational damage to organizations, alongside legal implications stemming from data protection regulations.
-
Potential for Malware Deployment: Exploiting this vulnerability may enable attackers to deploy additional malware or tools to maintain persistence within a network. This can lead to further exploitation and potential coordination with larger ransomware campaigns, further endangering organizational cyber defenses.
CISA has reported CVE-2026-41091
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-41091 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Microsoft Malware Protection Engine 1.1.0.0 < 1.1.26040.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
NotebookcheckCVE-2026-41091Microsoft patches Defender zero-days exploited in live attacks
Microsoft issued out-of-band patches for two actively exploited Defender zero-days, RedSun and UnDefend, after Huntress confirmed real-world use in attacks.
3 weeks ago
TechtimesMicrosoft Defender Zero-Days Patched: RedSun, UnDefend Exploits Already Used in Live Intrusions
Microsoft pushed out-of-band patches on May 21, 2026, for two actively exploited Windows Defender zero-days โ one that lets a low-privileged attacker seize full SYSTEM-level control of any Windows
3 weeks ago
Forbes2 New Microsoft Defender Zero-Days ExploitedโPatch Now Rolling Out
Microsoft has confirmed an emergency security update as CISA warns that two new Defender zero-days are being exploited by attackers.
3 weeks ago
References
EPSS Score
8% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐
Vulnerability started trending
- ๐ฐ
Used in Ransomware
- ๐ฐ
First article discovered by Help Net Security
- ๐พ
Exploit known to exist
- ๐ฆ
CISA Reported
Vulnerability published
Vulnerability Reserved