What's new since our earlier coverage: CISA has formally added both exploited Defender CVEs to its Known Exploited Vulnerabilities catalog, setting a June 3, 2026 deadline for federal agencies. Huntress has now confirmed real-world exploitation of both flaws. A third Defender vulnerability — a serious remote code execution bug — has also been patched in the same engine update, and the specific safe version numbers are now confirmed. Here's the full picture and exactly what to do.
If your Windows PC has Microsoft Defender running — and for most home users and small businesses, it does — you need to spend about two minutes today verifying that a critical security update has actually reached your machine.
Three vulnerabilities in Microsoft's built-in antivirus have been publicly disclosed and patched in a recent out-of-band engine update. Two of them are already being weaponized by attackers in the real world. The U.S. Cybersecurity and Infrastructure Security Agency has taken the unusual step of adding both to its Known Exploited Vulnerabilities catalog, requiring federal civilian agencies to have fixes applied by June 3, 2026. The rest of us don't have a government mandate — but the deadline is a clear signal about how serious this is.
The Three Flaws You Need to Know About
CVE-2026-41091 — Privilege Escalation (CVSS 7.8) — Actively Exploited
This is the most dangerous of the three from an "attacker already in your system" perspective. According to The Hacker News, the flaw involves "improper link resolution before file access ('link following') in Microsoft Defender," which allows an authorized attacker to elevate their local privileges all the way up to SYSTEM level — the highest privilege on a Windows machine. In plain terms: if a bad actor already has a foothold on your PC, this vulnerability hands them the keys to everything.
Security firm Huntress has confirmed they've observed this flaw being exploited in the wild. PCWorld notes that Microsoft has reported exploit code for this vulnerability is publicly known, which means even less sophisticated attackers can take a run at it.
CVE-2026-45498 — Denial-of-Service (CVSS 4.0) — Actively Exploited
The second actively exploited flaw is a denial-of-service vulnerability in Defender. While a lower CVSS score might make it seem less urgent, CISA still added it to the KEV catalog — meaning real-world attackers are finding it useful enough to deploy. A DoS attack against your antivirus effectively blinds your first line of defense.
The Hacker News notes that the descriptions of these two vulnerabilities overlap with RedSun and UnDefend, two Defender zero-days previously disclosed by a researcher known as Chaotic Eclipse (also called Nightmare-Eclipse). This same researcher recently published the YellowKey BitLocker bypass exploit — a pattern suggesting persistent, targeted research into Microsoft's core security stack.
CVE-2026-45584 — Remote Code Execution (CVSS 8.1) — Patched, Not Yet Exploited
The third flaw is a heap-based buffer overflow in Defender that an unauthorized attacker could exploit to achieve remote code execution, per PCWorld. Microsoft says there's no evidence of exploitation yet — but with a CVSS score of 8.1 and proof-of-concept researchers actively poking at Defender, "not yet" is the operative phrase. All three vulnerabilities exist in the Microsoft Malware Protection Engine up to and including version 1.1.26030.3008.
The Good News: The Patch Is Silent and Automatic
Microsoft has already rolled out fixes. PCWorld confirms that all three vulnerabilities are resolved in version 1.1.26040.8 and later of the Malware Protection Engine, with CVE-2026-45498 also addressed in Antimalware Platform version 4.18.26040.7. Defender updates itself automatically as part of daily definition updates — so many PCs may already be protected.
The catch: "automatically" doesn't mean "definitely." Systems that haven't connected to the internet recently, are managed under restrictive IT policies, or have had update services disrupted may still be running the vulnerable engine version. Don't assume — verify.
How to Check Your Defender Engine Version Right Now
This takes under two minutes on any Windows 10 or Windows 11 machine:
- Open Windows Settings (Win + I)
- Go to Privacy & Security ? Windows Security
- Click Virus & threat protection
- Click the ? Settings icon in the bottom left of that section
- Scroll down and click About
- Look for Engine Version — you want 1.1.26040.8 or higher
If you're not there yet, here's how to force the update immediately:
- In Windows Security, go to Virus & threat protection
- Under "Virus & threat protection updates," click Protection updates
- Hit Check for updates
Run through that process, wait for it to complete, then re-check your engine version.
Other Microsoft Security Issues You Should Know About This Week
The Defender vulnerabilities aren't happening in isolation. PCWorld reports that the same stretch of time has seen:
- Exchange Server CVE-2026-42897 — a critical spoofing vulnerability that is actively being exploited and still has no patch from Microsoft. If your organization runs Exchange Server 2016, 2019, or Subscription Edition, the Exchange Emergency Mitigation (EM) service needs to be active.
- Microsoft Authenticator (CVE-2026-41615) — classified as critical, this flaw in the Android and iOS Authenticator apps could let attackers access files, services, and data using the logged-in user's permissions. Microsoft has released fixed app versions.
- BitLocker YellowKey (CVE-2026-45585) — a proof-of-concept exploit that allows physical-access attackers to bypass BitLocker encryption if the device is using TPM-only mode without a PIN. Windows 11 and Server 2025 updates address this.
What Small Businesses Should Do
For Yuba City small businesses running Windows workstations without centralized IT management, the risk here is easy to underestimate. Defender is your primary antivirus on most Windows machines — a compromised Defender doesn't just expose one vulnerability, it can collapse your entire endpoint security posture. A few quick steps go a long way:
- Verify the engine version on every Windows device using the steps above — especially machines that have been offline or in sleep mode for several days
- Enable automatic Windows updates if they're not already on, so future engine patches arrive without manual intervention
- Check your Authenticator app version on Android and iOS — update if prompted
- If you use BitLocker, consider enabling a PIN alongside TPM to close the YellowKey attack surface
The next scheduled Patch Tuesday is June 9, 2026, per PCWorld — so more fixes are coming. But the Defender update is already out now and waiting for nothing.
If you manage multiple machines and aren't sure whether all of them have received the update, or if you're seeing anything unusual on your devices, we're happy to help with a quick check. Our /membership plan includes real-time vulnerability monitoring and automated protection updates across your devices — exactly the kind of coverage that catches engine-version gaps before attackers do.
The bottom line: Defender's automatic update mechanism works, but only if your machine is actively connected and pulling updates. Two minutes today to verify your engine version is a worthwhile trade.
