• Microsoft patches two actively exploited zero‑day flaws in Defender, tracked as CVE‑2026‑41091 (privilege escalation) and CVE‑2026‑45498 (denial of service)
• Updates were shipped automatically via Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7, though users are advised to manually verify versions
• CISA added both bugs to its KEV catalog, giving federal agencies until June 3 to patch or discontinue vulnerable software

Microsoft has released patches for two zero-day vulnerabilities affecting its Defender antivirus tool.

In a new security advisory, the company said it fixed a privilege escalation security bug plaguing Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, and a denial-of-service flaw in the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.

The former is tracked as CVE-2026-41091 and was given a severity score of 7.8/10 (high). It allows malicious actors to escalate privileges locally. The latter is tracked under CVE-2026-45498, with a severity score of 7.5/10 (high).

CISA confirms abuse

To address the vulnerabilities, Microsoft released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, one for each flaw. The company said no action is needed on the customer side, since the Defender receives these updates automatically, under the default configuration.

Still, since both flaws are being actively abused in the wild, it doesn’t hurt to double-check, by navigating to the “Virus & threat protection” window, then Protection Updates, and then clicking “Check for updates”. The Antimalware ClientVersion number should show the version numbers above.

The confirmation the bugs are being exploited came from the US Cybersecurity and Infrastructure Security Agency (CISA), who added them to its Known Exploited Vulnerabilities (KEV) catalog recently.

When that happens, Federal Civilian Executive Branch (FCEB) agencies usually have a two-week deadline to patch up or stop using vulnerable software immediately. In this case, agencies have until June 3.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA explained. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.