CVE-2026-41091 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-05-20

Added to CISA KEV: 2026-05-20 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply Microsoft security updates immediately to update Malware Protection Engine to version 1.1.26040.8 or later
Monitor for suspicious symbolic link creation and unusual file system activity around Windows Defender processes
Review local user accounts and privileges for signs of unauthorized elevation
HIGH patch priority due to CISA KEV listing and potential for privilege escalation in compromised environments

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-41091 is a critical security vulnerability affecting the Microsoft Malware Protection Engine, which is the core component of Microsoft Defender. Below is a summary of the known details regarding this vulnerability.

Overview and Impact

Vulnerability Type: Improper link resolution before file access ("link following")?id=CVE-2026-41091?kagi_q=CVE-2026-41091.
Impact: Successful exploitation allows an authenticated, low-privileged attacker to achieve SYSTEM-level privileges on the target machine ^[4] ^[3].
CVSS Score: 7.8 (High) ^[4].

Exploitation and Threat Activity

Active Exploitation: The vulnerability has been confirmed as being exploited in the wild as a zero-day prior to the release of security patches ^[1] ^[2].
Attack Method: It is a local privilege escalation (LPE) attack. An attacker must already have local access to the system and can leverage the flaw by tricking the Microsoft Malware Protection Engine's remediation and cloud file rollback processes ^[2] ^[3].
Targeted Attacks/Ransomware: While reports confirm it was used in zero-day attacks, specific attribution to ransomware campaigns or specific threat actors has not been widely publicized in the initial reporting as of June 2026.
Proof-of-Concept (PoC): There are public references to PoC code available on platforms like GitHub, which demonstrate how a low-privileged user can escalate to SYSTEM privileges ^[3].

Affected Versions and Mitigation

Affected Product: Microsoft Malware Protection Engine, specifically version 1.1.26030.3008 ^[1].
Patch Status: Microsoft released security patches in May 2026 to address this vulnerability ^[1]. Users are strongly advised to ensure their Microsoft Defender engine is updated to the latest version to mitigate this risk.

Sources

Microsoft warns of new Defender zero-days exploited in attacks
The first one, tracked as CVE-2026-41091, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 ... On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. The first one…
Microsoft Defender vulnerabilities exploited in the wild (CVE-2026 ...
CVE-2026-41091 allows for local privilege elevation (LPE), and is caused by the Microsoft Malware Protection Engine improperly resolving links ...
0xBlackash/CVE-2026-41091 - GitHub
It allows a low-privileged authenticated attacker to achieve SYSTEM privileges by tricking Defender's remediation and cloud file rollback ...
Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days
Microsoft this week released patches for two vulnerabilities in Defender, warning they have been exploited in the wild as zero-days. The first, tracked as CVE-2026-41091 (CVSS score of 7.8), is described as a link-following issue that allows attackers to elevate their privileges to System.