CVE-2026-41091 in Unspecified Microsoft Product: Confirmed Exploitation (CISA KEV)

📅 May 27, 2026 🔴 Exploit Risk: 0.224 📊 Intelligence Score: 52/100 📰 7 sources synthesized

TL;DR — Read this first

CVE-2026-41091 is an unspecified vulnerability in a Microsoft product with no public technical details.
CONFIRMED: The vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-20, indicating active exploitation in the wild.
Immediate action is required to investigate potential exposure and prepare for patch deployment. Prioritize based on KEV status.

Intelligence Metadata

First Reported Bybleepingcomputer.com

Outbreak Velocity899 minutes spread to 3 unique domains

ConsensusNot available. Sources are fragmented across multiple unrelated CVEs.

CVSS ScoreNot available

EPSS Score0.05941 (5.9th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2238

Race LabelZERO-DAY RACE

Technical Analysis

Technical details for CVE-2026-41091 are not publicly available. The vulnerability was added to the CISA KEV catalog, which serves as CONFIRMED evidence of active exploitation. However, neither Microsoft nor CISA have provided a description of the vulnerability class, attack vector, or necessary preconditions for exploitation. The initial intelligence cluster associates this CVE with reporting on a functional issue where Domain Controller lookups fail on Windows Server 2016. It is UNCONFIRMED if this operational bug is related to the security vulnerability designated CVE-2026-41091. The presence on the KEV list indicates a high-priority threat. It is INFERRED that the exploit likely enables a significant impact, such as privilege escalation or remote code execution, to warrant inclusion in the KEV catalog. Defenders must operate on this assumption until official technical details are released.

Affected Systems

Vendor: Microsoft

Affected Versions:

Unspecified Microsoft Product. Association with Windows Server 2016 is UNCONFIRMED.

Exposure: Not available

Blast Radius: Not available due to lack of information on the affected product and vulnerability type.

Intelligence Context

The primary driver for immediate action on CVE-2026-41091 is its CONFIRMED status in the CISA KEV catalog as of 2026-05-20. This designation overrides all other metrics, including the low EPSS score (0.05941) and the absence of a CVSS score. The 'ZERO-DAY RACE' label suggests exploitation occurred before or concurrent with a patch becoming widely available. The significant intelligence gap, with no official technical details from Microsoft, forces defenders to prioritize based solely on the KEV alert. The low vendor risk score (0.1) provided in the initial intelligence feed is inconsistent with a KEV entry and should be disregarded in prioritization decisions.

Remediation & Defense

Investigate exposure and monitor for vendor patch. Prioritize based on KEV status over all other metrics.

Patch Status: Not available

Patch Version: Not available

Workarounds:

No official workarounds have been published.

Detection Hints:

Monitor for anomalous activity on high-value Microsoft systems, particularly Domain Controllers, pending further details.
Review CISA guidance associated with the KEV entry for potential Indicators of Compromise (IOCs) as they become available.

Source Timeline

bleepingcomputer.com — First reporter
cisa.gov — KEV catalog confirmation
nvd.nist.gov — Official CVE record

CVE-2026-41091 microsoft vulnerability kev zero-day