CISA added a Microsoft Defender link-following vulnerability (CVE-2026-41091) to the Known Exploited Vulnerabilities catalog on 2026-05-20, confirming active exploitation and giving federal agencies until 2026-06-03 to remediate.
What Is It
CVE-2026-41091 is an improper link resolution before file access flaw (CWE-59, "link following") in Microsoft Defender's Malware Protection Engine. By coercing the engine into following an attacker-controlled symbolic link or junction, an authorized local user can elevate privileges on the affected host. Microsoft assigned the issue a CVSS 3.1 base score of 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local attack vector, low complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.
Why It Matters
CISA's KEV listing confirms this vulnerability is being actively exploited in the wild. Because Microsoft Defender runs with high privileges on virtually every modern Windows endpoint and server, a successful link-following exploit gives an attacker who already has a foothold a reliable path to full local privilege escalation; turning a low-privilege beachhead into SYSTEM-level control of the host. Known ransomware use is currently listed as "Unknown," but link-following EoP bugs in security products are routinely chained into post-compromise tradecraft.
What's Vulnerable
Per the NVD CPE configuration, the affected component is the Microsoft Malware Protection Engine (the engine behind Microsoft Defender):
cpe:2.3:a:microsoft:malware_protection_engine- Vulnerable versions: >= 1.1.26030.3008 and < 1.1.26040.8
Hosts running an engine build at or above 1.1.26040.8 are not in the vulnerable range.
Patch Status
Microsoft has published guidance through MSRC for CVE-2026-41091. The Malware Protection Engine typically updates automatically via Defender's signature/engine delivery channel, and the fixed build is 1.1.26040.8 or later. CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies must complete remediation by 2026-06-03; private-sector defenders should treat that as a hard deadline given confirmed exploitation.