Microsoft has rushed out emergency updates this week after disclosing that two previously unknown "zero-day" flaws in its Defender antimalware stack are already being exploited in the wild. One vulnerability lets a local attacker climb all the way up to SYSTEM privileges, while the other can knock Defender offline and leave Windows machines temporarily unprotected.
Inside Microsoft’s Rush Patch And The CVE Details
To tackle the issues, Microsoft shipped a security intelligence update - engine version 1.1.26040.8 and platform version 4.18.26040.7 - according to Microsoft Security Intelligence. The bugs are tracked as CVE-2026-41091, a link-following privilege-escalation flaw, and CVE-2026-45498, a denial-of-service issue that can stop Defender from running, as reported by BleepingComputer. Microsoft says customers sticking with the default Defender settings should get the fixes automatically, while admins who prefer a firmer hand can push the update through their usual management tools.
CISA Flags The Flaws And Puts Feds On The Clock
On May 20 the two vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog, which immediately triggered an accelerated remediation window for federal agencies. The NVD entry lists June 3 as the due date for Federal Civilian Executive Branch systems to be patched. The agency warned that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors" and urged organizations to apply vendor mitigations or follow Binding Operational Directive 22-01 guidance. The compressed timeline is meant to cut down the opportunity attackers have to weaponize the flaws across large government and enterprise environments.
How To Verify You’re Patched
To confirm you are protected, open Windows Security, go to Virus & threat protection, then Protection updates, and check that the Engine and Platform versions are at least 1.1.26040.8 and 4.18.26040.7, respectively, per Microsoft Security Intelligence. If automatic updates are turned off, administrators can deploy the package through Intune, WSUS, or the Microsoft Update Catalog - see KB4052623 for the corresponding platform build. Security teams that do not immediately see the new versions appear are advised to review their management tooling and rollout policies, Malwarebytes notes.
Why Defenders Are On Edge
Researchers point out that proof-of-concept techniques for related Defender issues surfaced publicly in April, which has shortened the time security teams have to react. Reporting by CSO Online and other trackers indicates attackers have already been seen chaining privilege-escalation techniques in run-of-the-mill infections. That combination - using a denial-of-service bug to strip away protections and a separate flaw to escalate privileges - is what pushed agencies to put these vulnerabilities near the top of their to-do lists.
Bottom Line For Users And IT Teams
For Windows users, the marching orders are simple: keep Defender and Windows Update set to install updates automatically and double-check that your engine and platform versions match or exceed the patched numbers above. IT teams should push the updated Defender platform where it has not landed yet and keep an eye on endpoint telemetry for signs of local privilege escalation. Organizations handling federal data also need to document their mitigation steps under Binding Operational Directive 22-01 and meet the KEV remediation deadlines, per CISA. For most home users and small businesses, though, the fix really is straightforward: make sure Defender is up to date and let the security intelligence update do its job.
