Cybersecurity May 22, 2026 · 4 min read

Microsoft Defender Has Two Zero-Days Being Actively Exploited — The Software Guarding Your Computer Needed Guarding From Itself

🤚 The Open-Palm Patch Notes

On Wednesday, Microsoft began rolling out emergency security patches for two zero-day vulnerabilities in Microsoft Defender — the software that is, quite literally, the last line of defense on hundreds of millions of Windows machines. Both flaws were already being actively exploited in the wild before patches arrived, which is the cybersecurity equivalent of calling the locksmith while someone is already inside your house.

The vulnerabilities:

  • CVE-2026-41091 — A privilege escalation flaw in the Malware Protection Engine (versions 1.1.26030.3008 and earlier) caused by improper link resolution before file access (CWE-59). Attackers can exploit it to gain SYSTEM-level privileges, which is the Windows equivalent of having the keys to every room, every safe, and the building itself.
  • CVE-2026-45498 — A denial-of-service vulnerability in the Defender Antimalware Platform (versions 4.18.26030.3011 and earlier) that allows threat actors to render endpoint protection completely inoperable. Your antivirus doesn’t just fail to catch the malware — it takes a nap.

Affected products include the Malware Protection Engine, Microsoft Defender Antimalware Platform, System Center Endpoint Protection (both 2012 and 2012 R2 editions), and Security Essentials — a product name that has never aged worse than it does right now.

👐 The Two-Handed Security Paradox

There is a particular genre of cybersecurity incident that never stops being funny, and it is this: the security product itself is the vulnerability. Not the operating system. Not the browser. Not some third-party widget installed by an intern. Microsoft Defender — the application whose entire reason for existence is to prevent exactly this kind of exploitation — had two zero-days being actively used to compromise the systems it was supposed to protect.

CVE-2026-41091 is especially elegant in its irony. The Malware Protection Engine follows symbolic links to files it shouldn’t, allowing attackers to escalate privileges to SYSTEM. The engine designed to inspect suspicious files was tricked by a suspicious file. It’s like a security guard who opens every suspicious package by hand, alone, in a dark room, because that’s what the manual says to do.

And CVE-2026-45498 is the cherry on top: a denial-of-service attack against your antivirus. Attackers don’t need to evade detection if they can simply turn detection off. This is not a sophisticated bypass technique. This is walking up to the guard dog and feeding it a sleeping pill.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and mandated that all federal agencies patch their systems by June 3, 2026. Which means government computers running the software designed to protect government computers are currently vulnerable because the protection software failed to protect itself.

🌿 The Gentle Awakening

Microsoft, to its credit, has stated that “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.” This is technically true. Automatically updated software that contained two zero-days was automatically distributing those zero-days to every machine it updated. The pipeline worked. The pipeline delivered vulnerabilities at scale.

There’s a certain comfort in knowing that the system functions as designed. The updates flow. The definitions refresh. The protection engine hums along, diligently following symbolic links into privilege escalation. Everything works. Everything is also broken. These two facts coexist peacefully, like roommates who never speak.

👑 The Gold-Leaf Reckoning

The patched versions — Malware Protection Engine 1.1.26040.8 and Defender Antimalware Platform 4.18.26040.7 — should roll out automatically for most users. But the broader question is one that the security industry keeps asking and never fully answers: who watches the watchers?

Every endpoint protection product is, by definition, the most privileged software on your machine. It scans every file, monitors every process, and operates with the kind of system access that would make a root kit blush. When that software has a privilege escalation vulnerability, the attacker doesn’t need to find a way in — they already have one. The front door was the antivirus the whole time.

CISA’s warning was characteristically understated: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” Translated from bureaucrat: this happens a lot, it’s bad every time, and we are tired of writing these advisories.

The patches are out. Update your Defender. And try not to think too hard about the fact that, for an unknown period, the software protecting your computer was the easiest way to compromise it.

“The antivirus had a virus. The firewall had a hole. The security update needed a security update. We have achieved cybersecurity recursion.” — The Slap of Wisdom Endpoint Protection Desk, currently being scanned by a scanner that also needs scanning