Microsoft has begun rolling out security updates for two Microsoft Defender vulnerabilities that have been actively exploited in zero-day attacks.
The first flaw, tracked as CVE-2026-41091, affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. The vulnerability stems from an insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with elevated privileges.
A second issue (CVE-2026-45498) impacts systems running Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. Successful exploitation could enable attackers to trigger denial-of-service (DoS) conditions on vulnerable Windows systems.
The vendor has also patched a critical remote execution flaw (CVE-2026-45584) in Malware Protection Engine, caused by a boundary error issue. A remote attacker can pass a specially crafted file to the system, which once scanned can trigger a heap-based buffer overflow and remote code execution. Currently, there’s no indication that the vulnerability is being exploited in the wild.
To address the vulnerabilities, Microsoft released Malware Protection Engine version 1.1.26040.8 and Microsoft Defender Antimalware Platform version 4.18.26040.7. The company said most customers should not need to take manual action because Defender products are configured by default to receive automatic updates for malware definitions and platform components. However, users are recommended to verify whether the update was installed by checking Protection Updates in Windows Security.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also flagged CVE-2026-41091 and CVE-2026-45498 as actively exploited, along with a number of older vulnerabilities affecting Microsoft Explorer (CVE-2010-0249, CVE-2010-0806), MS Windows (CVE-2008-4250), MS DirectX (CVE-2009-1537), and Adobe Acrobat (CVE-2009-3459).