ThreatLevelBeta
Fix Soon

CVE-2026-41091

Local Privilege Escalation in Microsoft Defender
Loading...

Summary

An authorized local attacker can abuse improper link resolution in Microsoft Defender's Malware Protection Engine. During privileged file access or scanning, Defender may follow an attacker-controlled symbolic link or junction instead of the intended path, redirecting a high-privilege operation onto a protected target. Successful exploitation can elevate a low-privilege Windows account to SYSTEM, and the CVE is being actively exploited in the wild.

Why Fix Soon?

5/6
Domain user required (treated as pre-auth on internal network)
Internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
domain user
PoC / Exploit
No
Impact

Gain SYSTEM-level privileges on the local Windows host.

Privilege Escalation
Exploitation Requirements
  • Authentication required (domain user)
Exploitation Process

The attacker first creates a malicious symbolic link or junction from a writable location to a protected file or directory. They then cause Defender's scanning or file-processing logic to touch that path; when the engine resolves the link incorrectly, it performs the privileged access against the attacker-chosen target. The attacker can then leverage the resulting privileged file operation to escalate to SYSTEM.

Detection Resources
Manual Detection
support.microsoft.com
1
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Malware Protection Enginebefore 1.1.26040.8
Description

Microsoft's antimalware engine that scans files, detects threats, and supports malware-removal logic for Microsoft Defender and related endpoint protection products.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentFile-access and link-resolution handling in the Microsoft Malware Protection Engine scanning path.

File-access and link-resolution handling in the Microsoft Malware Protection Engine scanning path.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Update Microsoft Malware Protection Engine to version 1.1.26040.8 or later; Defender engine updates are delivered through Microsoft's normal update channels, but managed environments should verify the new engine version is deployed.

Update Microsoft Malware Protection Engine to version 1.1.26040.8 or later; Defender engine updates are delivered through Microsoft's normal update channels, but managed environments should verify the new engine version is deployed.

msrc.microsoft.com
Threat Intelligence
EPSS Score12.1%

Probability of exploitation in the next 30 days

EPSS Percentile94%

Worse than 94% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cyber.gc.ca
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceProcessEvents | where FileName in~ ("cmd.exe","powershell.exe","fsutil.exe") and ProcessCommandLine has_any ("mklink","New-Item -ItemType SymbolicLink","reparsepoint","junction")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-59 Link Following
|
NVD:CVE-2026-41091
|
Version From:1.1.26030.3008
|
Version Upto:1.1.26040.8

Affected Software (CPE) (1)

  • cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*

Sources

7
SourceArticle
www.cisa.govKnown Exploited Vulnerabilities Catalog
msrc.microsoft.comCVE-2026-41091 Security Update Guide
support.microsoft.comMicrosoft Malware Protection Engine deployment information
www.cyber.gc.caMicrosoft security advisory AV26-489
www.tenable.comCVE-2026-41091
www.bleepingcomputer.comMicrosoft warns of new Defender zero-days exploited in attacks
www.csoonline.comMicrosoft patches two zero-day flaws in Defender

Priority History

Fix SoonLoading...

Initial analysis