May 23, 2026Vulnerability Analysis

CVE-2026-41091 & CVE-2026-45498: Microsoft Defender Zero-Days Actively Exploited in the Wild

Executive Summary

Two actively exploited zero-day vulnerabilities — CVE-2026-41091 (CVSS 7.8, Elevation of Privilege) and CVE-2026-45498 (CVSS 4.0, Denial of Service) — were disclosed as part of Microsoft's May 2026 Patch Tuesday and immediately added to CISA's Known Exploited Vulnerabilities catalog. CVE-2026-41091 resides in mpengine.dll, the core Microsoft Malware Protection Engine, and allows a low-privileged local attacker to gain SYSTEM-level control by exploiting a symbolic link race condition. CVE-2026-45498 lets attackers silently disable Defender's protective capabilities. Federal Civilian Executive Branch agencies have until June 3, 2026 to apply patches; all other organizations should treat this as urgent.

1. What Is This Vulnerability?

CVE-2026-41091 — Elevation of Privilege via Link Following

mpengine.dll is the beating heart of the Microsoft Malware Protection Engine (MPE). It handles file scanning, malware detection, remediation, and clean-up operations across all Microsoft anti-malware products. Because it needs to inspect and remove malicious files on behalf of the operating system, it runs with SYSTEM-level privileges — the highest privilege tier in Windows.

The flaw is classified as CWE-59: Improper Link Resolution Before File Access ("Link Following"). When Defender triggers a scan or remediation action on a file, mpengine.dll resolves the file path without atomically verifying that the resolved path still points to the intended location at the moment of access. An attacker who can create a symbolic link (symlink) on the filesystem can point the link at a protected system resource. When Defender follows that symlink with SYSTEM privileges, it reads, writes, or operates on the unintended target — giving the attacker a write primitive into any file on the system.

Root cause in plain terms: Defender checks a file's location, then accesses it — there's a window between check and access (TOCTOU: Time-of-Check to Time-of-Use) during which an attacker can swap a symlink into place.

CVE-2026-45498 — Denial of Service Against Defender Antimalware Platform

CVE-2026-45498 targets the Microsoft Defender Antimalware Platform (v4.18.x) and allows an attacker — again with low local access — to trigger a condition that forces Defender into an inoperable state. A disabled antimalware platform does not scan, block, or alert, effectively blinding the system's primary defense layer. This vulnerability is actively paired with CVE-2026-41091 in observed attacks: disable Defender first, then escalate freely.

Attack Vector

The attack chain combining both CVEs proceeds in two stages:

Stage 1 — Blind the Defender (CVE-2026-45498): Attacker uses a crafted input to trigger the DoS condition, forcing MsMpEng.exe into a fault state. Defender stops real-time protection. Windows Security Center shows Defender as "not running."
Stage 2 — Escalate to SYSTEM (CVE-2026-41091): Attacker creates a malicious symlink chain:
- Creates a junction point or object-directory symlink pointing to a high-value protected resource (e.g., C:\Windows\System32\ or the SAM hive).
- Drops or triggers a file that causes Defender's scan engine to access the symlink path.
- mpengine.dll follows the link with SYSTEM privileges, performing an attacker-controlled read/write on the target.
Stage 3 — Persistence: With SYSTEM access, the attacker can install a kernel-level rootkit, dump credentials via the SAM hive, disable audit logging, or create a persistent SYSTEM-level service.

Real-World Impact

Security researchers linked CVE-2026-41091 to two proof-of-concept exploits — RedSun and UnDefend — published on GitHub by a disgruntled security researcher in April 2026, ahead of Microsoft's patch. The availability of weaponized PoC code dramatically accelerated in-the-wild exploitation. Threat intelligence vendors have observed ransomware pre-deployment stages leveraging these techniques on corporate endpoints where Defender is the primary AV solution.

2. Who Is Affected?

The following products ship mpengine.dll or the affected Antimalware Platform and are vulnerable:

Product	Vulnerable Version
Microsoft Defender Antivirus (Windows 10/11)	MPE < 1.1.26040.8
Microsoft Defender for Endpoint	MPE < 1.1.26040.8
Microsoft Defender for Business	MPE < 1.1.26040.8
Microsoft System Center Endpoint Protection	MPE < 1.1.26040.8
Microsoft Security Essentials (Windows 7/8.1)	MPE < 1.1.26040.8
Microsoft Defender Antimalware Platform	Platform < 4.18.26040.7

Not affected: Third-party antivirus solutions (CrowdStrike, Sentinel One, etc.) that replace mpengine.dll are not affected by CVE-2026-41091, but any Windows system running Microsoft Defender in any capacity — including in passive mode — may carry the vulnerable binary.

Attack prerequisite: The attacker must already have local access with low privileges (e.g., standard user account). This is realistic in:

Corporate environments where users share workstations
Post-phishing or post-initial-access scenarios
Supply chain or insider threat models

3. How to Detect It (Testing)

Verify Your Current mpengine.dll Version

# Check Microsoft Malware Protection Engine version
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AMServiceEnabled, RealTimeProtectionEnabled

# Should show AMEngineVersion >= 1.1.26040.8
# AMProductVersion >= 4.18.26040.7

If AMEngineVersion is below 1.1.26040.8, the system is vulnerable to CVE-2026-41091. If AMProductVersion is below 4.18.26040.7, the system is vulnerable to CVE-2026-45498.

Check if Defender is in a DoS'd State (CVE-2026-45498 Indicator)

# Check Defender service health
$status = Get-MpComputerStatus
if (-not $status.RealTimeProtectionEnabled) {
    Write-Warning "ALERT: Real-time protection is disabled — possible CVE-2026-45498 exploitation"
}
if ($status.AMServiceEnabled -eq $false) {
    Write-Warning "ALERT: Defender service is not running — investigate immediately"
}

Manual Testing Steps

Step 1: Open PowerShell as administrator and run Get-MpComputerStatus | fl AMEngineVersion.
Step 2: Compare the output against the patched version threshold: 1.1.26040.8. Any version with a lower build number is vulnerable.
Step 3: Check Windows Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational for Event ID 1116 (malware detected) and Event ID 5001/5004 (real-time protection disabled).
Step 4: Inspect the filesystem for unusual symlinks in temp or user-accessible directories: dir /al C:\Users\*\AppData\Local\Temp\ (look for reparse points).

Automated Scanning

Nessus / Tenable:

Plugin ID for Windows Defender MPE version check: search Tenable's feed for "Microsoft Malware Protection Engine" post-May 2026 updates.
Enable authenticated scanning and check HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion.

PowerShell-based fleet scan (via PSRemoting):

$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $computers -ScriptBlock {
    $mpStatus = Get-MpComputerStatus
    [PSCustomObject]@{
        Computer      = $env:COMPUTERNAME
        EngineVersion = $mpStatus.AMEngineVersion
        PlatformVer   = $mpStatus.AMProductVersion
        RTProtection  = $mpStatus.RealTimeProtectionEnabled
        IsVulnerable  = ($mpStatus.AMEngineVersion -lt [version]"1.1.26040.8")
    }
} | Export-Csv -Path "defender_vuln_audit.csv" -NoTypeInformation

Microsoft Defender for Endpoint (MDE) KQL — Threat Hunting:

// Hunt for symlink creation in Defender-scanned paths
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk" or InitiatingProcessCommandLine has "mklink"
| where FolderPath startswith @"C:\Users"
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, InitiatingProcessCommandLine
| order by Timestamp desc

Code Review Checklist

Verify Defender update policy allows automatic platform updates (not just definition updates)
Confirm Defender is not set to "passive mode" on endpoints that should have active protection
Check Group Policy for any settings that defer or block security intelligence updates
Review WSUS/MECM update schedules to ensure platform components (not just definitions) receive timely updates
Audit Windows Defender exclusions — broad exclusions may inadvertently expose symlink attack paths

4. How to Fix It (Mitigation)

Step-by-Step Remediation

For individual Windows machines:

Force a Defender platform update — Defender platform components like mpengine.dll are updated monthly (not daily like signatures). Trigger a manual update:

# Update Defender signatures and platform
Update-MpSignature
# Then check if platform updated; if not, use:
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate

Verify target version is installed:

Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion
# AMEngineVersion must be >= 1.1.26040.8
# AMProductVersion must be >= 4.18.26040.7

If auto-update is insufficient, deploy the update manually via Microsoft Update Catalog:
- Navigate to: https://www.catalog.update.microsoft.com
- Search: "Microsoft Malware Protection Engine 1.1.26040.8"
- Download and deploy the .msu package
Restart the Defender service after update:

Restart-Service -Name WinDefend

For enterprise environments (MECM / Intune):

In Microsoft Endpoint Configuration Manager: Navigate to Software Library → Endpoint Protection → Antimalware Policies → select your policy → ensure "Check for security intelligence updates before running a scheduled scan" is enabled, and verify that definition update source includes Microsoft Update.
In Intune: Create or update a Windows Security Experience configuration profile to enforce Defender platform version baselines.
Deploy via Windows Update for Business: ensure "Security Intelligence Updates" and "Platform Updates" are not deferred under the Defender update ring policy.

Configuration Hardening

Enable the following Group Policy settings to minimize the symlink attack surface (complementary to patching):

Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment:
  → "Create symbolic links" → Assign ONLY to Administrators (remove standard users)

Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus:
  → "Turn on behavior monitoring" → Enabled
  → "Configure local setting override for reporting to Microsoft MAPS" → Enabled

Registry key (disable symlink creation for non-admins):

# Verify SeCreateSymbolicLinkPrivilege is restricted
secedit /export /cfg C:\temp\security_policy.cfg
Select-String -Path C:\temp\security_policy.cfg -Pattern "SeCreateSymbolicLinkPrivilege"
# Should only list: *S-1-5-32-544 (Administrators)

5. How to Test the Fix (Validation)

Regression Test Scenarios

Scenario A: After patching, run Get-MpComputerStatus | Select-Object AMEngineVersion — value must be 1.1.26040.8 or higher.
Scenario B: Confirm real-time protection is active: (Get-MpComputerStatus).RealTimeProtectionEnabled must return True.
Scenario C: Confirm platform version: (Get-MpComputerStatus).AMProductVersion must be 4.18.26040.7 or higher.
Scenario D: Attempt to create a symlink as a standard user (non-admin) and confirm access is denied after hardening.

Security Test Cases

Test Case 1: Verify engine version patch is applied

Precondition: Apply update to bring MPE to 1.1.26040.8
Steps: Run Get-MpComputerStatus as standard user
Expected Result: AMEngineVersion returns 1.1.26040.8 or higher

Test Case 2: Validate symlink privilege restriction

Precondition: Apply Group Policy restricting SeCreateSymbolicLinkPrivilege
Steps: Log in as a standard (non-admin) user and run cmd /c mklink /D C:\temp\testlink C:\Windows\System32
Expected Result: You do not have sufficient privilege to perform this operation.

Test Case 3: Confirm Defender DoS resistance (CVE-2026-45498)

Precondition: Platform version at 4.18.26040.7 or higher
Steps: Monitor MsMpEng.exe process stability over 24 hours; check Event ID 3002 (definition load error) absence
Expected Result: No unexpected Defender service crashes or protection gaps

Automated Tests

# Automated post-patch validation script
function Test-DefenderPatchStatus {
    $status = Get-MpComputerStatus
    $engineOK   = [version]$status.AMEngineVersion -ge [version]"1.1.26040.8"
    $platformOK = [version]$status.AMProductVersion -ge [version]"4.18.26040.7"
    $rtpOK      = $status.RealTimeProtectionEnabled

    Write-Host "=== Defender CVE-2026-41091 / CVE-2026-45498 Patch Validation ==="
    Write-Host "Engine Version:    $($status.AMEngineVersion) $(if ($engineOK) {'✅ PASS'} else {'❌ FAIL - PATCH REQUIRED'})"
    Write-Host "Platform Version:  $($status.AMProductVersion) $(if ($platformOK) {'✅ PASS'} else {'❌ FAIL - PATCH REQUIRED'})"
    Write-Host "RealTime Protect:  $($status.RealTimeProtectionEnabled) $(if ($rtpOK) {'✅ PASS'} else {'❌ FAIL'})"

    return ($engineOK -and $platformOK -and $rtpOK)
}
Test-DefenderPatchStatus

6. Prevention & Hardening

Best Practices

Enable automatic platform updates for Defender. Definition updates occur 3x/day automatically, but platform component updates (like mpengine.dll) follow a different cadence. Explicitly enable these in endpoint management policies — do not rely solely on definition update schedules.
Restrict symbolic link creation privileges. The SeCreateSymbolicLinkPrivilege right should be held only by Administrators. Audit and remove this privilege from standard users and service accounts that don't explicitly require it.
Deploy Microsoft Defender for Endpoint with behavioral analytics. MDE's advanced threat protection can detect symlink-based exploitation patterns even before they complete — enable Process Creation auditing (Event ID 4688) and file system auditing for sensitive paths.
Review Defender exclusions regularly. Overly broad exclusions (e.g., entire user home directories or C:\Temp) expand the attack surface for symlink exploits by preventing Defender from scanning attacker-created artifacts.
Adopt a vulnerability management baseline. Track Defender platform version separately from definition version in your asset management system. Many orgs monitor definition staleness but miss platform component updates.

Monitoring & Detection

Enable the following to detect active exploitation attempts:

Windows Event IDs to monitor:

5001 / 5004 — Defender real-time protection disabled (possible CVE-2026-45498 trigger)
4688 — Process creation with mklink, CreateSymbolicLink, or NtCreateSymbolicLinkObject in command line
4663 — Auditing access to sensitive files (SAM, SYSTEM, SECURITY hives) by MsMpEng.exe targeting unexpected paths

SIEM detection rule (Sigma-compatible):

title: Defender Engine Symlink Exploit Attempt (CVE-2026-41091)
status: experimental
description: Detects symlink creation in user-writable paths followed by Defender access
logsource:
    product: windows
    service: security
detection:
    selection_symlink:
        EventID: 4663
        ProcessName|endswith: 'MsMpEng.exe'
        ObjectName|startswith:
            - 'C:\Users'
            - 'C:\ProgramData'
            - 'C:\Windows\Temp'
    filter_legitimate:
        ObjectName|contains: 'MpSigStub'
    condition: selection_symlink and not filter_legitimate
falsepositives:
    - Defender scanning user profile files (tune ObjectName filter)
level: high
tags:
    - attack.privilege_escalation
    - attack.t1574.010
    - cve.2026.41091

Network-level indicator: Look for unusual outbound traffic from MsMpEng.exe — legitimate Defender telemetry goes to Microsoft endpoints only. Redirected SYSTEM-process connections to non-Microsoft IPs post-exploitation should raise an immediate alert.