CVE-2026-41091 in Microsoft Defender: Actively Exploited Zero-Day Added to CISA KEV

📅 May 22, 2026 🔴 Exploit Risk: 0.248 📊 Intelligence Score: 70/100 📰 3 sources synthesized

TL;DR — Read this first

Two vulnerabilities, CVE-2026-41091 and CVE-2026-45498, affect Microsoft Defender.
CONFIRMED: Both vulnerabilities are being actively exploited in the wild and have been added to the CISA KEV catalog.
Immediate action is required to verify that patches have been applied, as Microsoft Defender typically updates automatically.

Intelligence Metadata

First Reported Byhkcert.org

Outbreak Velocity560 minutes spread to 3 unique domains

Consensus3 sources across 3 unique domains

CVSS ScoreNot available

EPSS Score0.12101 (85th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2484

Race LabelZERO-DAY RACE

Technical Analysis

Microsoft has confirmed active exploitation of two zero-day vulnerabilities, CVE-2026-41091 and CVE-2026-45498, in its Microsoft Defender security product. Public technical details regarding the vulnerability class, attack chain, and preconditions for exploitation are currently limited. The 'ZERO-DAY RACE' designation indicates that threat actors were exploiting these flaws before or concurrently with the release of a patch. Given that Microsoft Defender's core function is to scan files and network traffic, the ingress point is likely the processing of a specially crafted malicious object. Successful exploitation could lead to a bypass of security controls, local privilege escalation (LPE), or remote code execution (RCE) on the affected endpoint, effectively neutralizing the system's primary defense mechanism.

Affected Systems

Vendor: Microsoft

Affected Versions:

Microsoft Defender

Exposure: Systems running affected versions of Microsoft Defender. The product is a core component of the Windows operating system and is widely deployed on both workstations and servers.

Blast Radius: High. Microsoft Defender is a ubiquitous endpoint security solution across enterprise, government, and consumer environments. A vulnerability in this product has a significant potential impact.

Intelligence Context

The addition of both CVE-2026-41091 and CVE-2026-45498 to the CISA KEV catalog on May 20, 2026, provides federal-level confirmation of active, in-the-wild exploitation. This is the most critical signal for prioritization. While a CVSS score is not yet available, the EPSS score of 0.12101 for the primary CVE places it in the 85th percentile, indicating a significantly higher probability of exploitation activity compared to a typical vulnerability. The combination of a KEV listing, vendor confirmation of zero-day attacks, and rapid corroboration from multiple security news outlets establishes this as a high-confidence, high-priority threat that requires immediate attention from vulnerability management and security operations teams.

Remediation & Defense

Verify patch deployment immediately. While updates are typically automatic, enterprise-wide confirmation is required due to the confirmed active exploitation.

Patch Status: Available

Patch Version: Microsoft Defender and its components typically update automatically. Administrators should verify that anti-malware and security intelligence updates are enabled and functioning correctly.

Workarounds:

No workarounds have been announced. Ensuring automatic updates are enabled is the primary mitigation.

Detection Hints:

Monitor for unexpected disabling of Microsoft Defender services or tampering with its configuration.
Review endpoint logs for anomalous process execution originating from Microsoft Defender's scanning engines.

Source Timeline

hkcert.org — First reporter
cisa.gov — Official exploitation confirmation (KEV)
bleepingcomputer.com — Corroborating source
thehackernews.com — Corroborating source

CVE-2026-41091 CVE-2026-45498 Microsoft Microsoft Defender exploit_wild kev zero-day