Microsoft has started rolling out an emergency security update for Microsoft Defender after the U.S. Cybersecurity and Infrastructure Security Agency confirmed that two new zero-day vulnerabilities are already being exploited in the wild by attackers. One is a privilege escalation problem that affects the Microsoft Malware Protection Engine, while the other has a broader scope, affecting Microsoft Defender Antimalware Platform and Microsoft's System Center Endpoint Protection. Here’s what you need to know about CVE-2026-41091 and CVE-2026-45498, including the mitigation measures confirmed by Microsoft.

Microsoft Defender CVE-2026-41091 And CVE-2026-45498 Zero-Days Explained

Microsoft has now confirmed two new Microsoft Defender zero-days that it said had been exploited. This exploitation was confirmed by CISA, which has added the security flaws to its Known Exploited Vulnerabilities catalog and given federal agencies until June 3 to ensure mitigation measures are in place.

It has not been the greatest few days for Microsoft on the security front, especially regarding zero-day vulnerabilities. Microsoft Exchange users have been warned about an active zero-day exploit demanding emergency mitigation, the now infamous ‘ angry hacker ’ dropped another two public zero-day exploits, and the Pwn2Own Berlin hacking event uncovered numerous Windows zero-days. All within the space of a week.

The first has a Common Vulnerabilities and Exposures designation of CVE-2026-41091 , and Microsoft described it as a Microsoft Defender elevation of privilege vulnerability caused by an improper link resolution before file access. This zero-day affects the Microsoft Malware Protection Engine up to version 1.1.26030.3008 and could give a successful attacker SYSTEM privileges with all that entails.

The second, CVE-2026-45498 , is a denial of service vulnerability impacting Microsoft Defender. Microsoft said that this affects the Defender Antimalware Platform up to version 4.18.26030.3011, along with other products that use it, including Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

When adding the zero-days to the KEV Catalog database, CISA warned that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors,” and accordingly gave Federal Civilian Executive Branch agencies just 14 days, starting May 20, to mitigate the threat.

“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input. However, it is worth checking that the default configuration still applies to your copy of Microsoft Defender and that automatic updating is, indeed, enabled. Microsoft has advised that users should verify installation of the update by opening the Windows Security program, selecting Virus & threat protection and then Protection Updates.