CISA added CVE-2026-45498 to the Known Exploited Vulnerabilities catalog on 2026-05-20, flagging a denial-of-service flaw in the Microsoft Defender Antimalware Platform that federal agencies must remediate by 2026-06-03.
What Is It
CVE-2026-45498 is an unspecified denial-of-service vulnerability in Microsoft Defender. NVD classifies the secondary weakness as CWE-400 (Uncontrolled Resource Consumption). The advisory was published by Microsoft ([email protected]) on 2026-05-20 and is currently in "Analyzed" status.
The two scoring perspectives diverge meaningfully:
- Microsoft (secondary): CVSS 3.1 base score 4.0 (MEDIUM): vector
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating local attack vector with low availability impact. - NVD (primary): CVSS 3.1 base score 7.5 (HIGH): vector
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector with high availability impact and no privileges or user interaction required.
Why It Matters
CISA's inclusion in the KEV catalog confirms this vulnerability is associated with active exploitation in the wild, which is the bar for KEV entry. Known ransomware campaign use is currently listed as "Unknown." Because Defender is endpoint security tooling, a DoS condition can blind or disable protective controls; a meaningful operational concern even where confidentiality and integrity are not directly impacted. The gap between Microsoft's local-vector score (4.0) and NVD's network-vector score (7.5) suggests defenders should plan against the higher-impact scenario until further clarification is published.
What's Vulnerable
Affected product per NVD CPE data:
microsoft:defender_antimalware_platform- Versions >= 4.18.26030.3011 and < 4.18.26040.7
Patch Status
CISA's required action: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Federal civilian agencies must complete remediation by 2026-06-03. Microsoft's update guide entry (linked below) is the authoritative source for fix versions; updating the Defender Antimalware Platform to 4.18.26040.7 or later is consistent with the CPE range marked vulnerable.