CVE-2026-41091

HIGH KEV

Microsoft Defender Elevation of Privilege Vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-41091 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 20, 2026. EIP tracks 3 public exploits from researchers including 0xBlackash, ridhinva.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2026-41091, demonstrating a local privilege escalation (LPE) vulnerability in Microsoft Defender by abusing link-following and remediation mechanisms to achieve SYSTEM privileges.

Description

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Exploits (3)

github WORKING POC 1 stars
by 0xBlackash · c++poc
https://github.com/0xBlackash/CVE-2026-41091

The repository contains a functional proof-of-concept exploit for CVE-2026-41091, demonstrating a local privilege escalation (LPE) vulnerability in Microsoft Defender by abusing link-following and remediation mechanisms to achieve SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Defender (Malware Protection Engine ≤ 1.1.26030.3008)
Auth required
Prerequisites: low-privileged access to the target system · ability to create files and directory junctions
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec SCANNER
by ridhinva · poc
https://github.com/ridhinva/defender-privilege-escalation-scanner

This repository contains a Python-based scanner for detecting vulnerabilities in Microsoft Defender (CVE-2026-41091 and CVE-2026-45498). It checks Defender's status, engine version, process permissions, and folder permissions but does not include exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Defender (versions below 4.18.2405.7)
Auth required
Prerequisites: Windows system with Microsoft Defender installed · Administrative privileges for remote scanning
devstral-2 · analyzed Jun 04, 2026 Full analysis →
nomisec SCANNER
by ridhinva · poc
https://github.com/ridhinva/defender-vulnerability-scanner

This repository contains a Python-based scanner that checks for vulnerable configurations in Microsoft Defender related to CVE-2026-41091 (LPE) and CVE-2026-45498 (DoS). It queries Defender's status, version, and processes but does not include exploit code.

Classification
Scanner 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Defender (versions < 4.18.2405.7)
No auth needed
Prerequisites: Access to a Windows system with Microsoft Defender installed
devstral-2 · analyzed May 23, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory patch
Microsoft Defender Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091

Scores

CVSS v3 7.8
EPSS 0.0117
EPSS Percentile 63.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-05-20
VulnCheck KEV 2026-05-19
ENISA EUVD EUVD-2026-31101
CWE
CWE-59
Status published
Products (3)
microsoft/malware_protection_engine 1.1.26030.3008 - 1.1.26040.8
Microsoft/Microsoft Malware Protection Engine -
Microsoft/Microsoft Malware Protection Engine 1.1.0.0 - 1.1.26040.8
Published May 20, 2026
KEV Added May 20, 2026
Tracked Since May 20, 2026