ThreatLevelBeta
Fix Soon

CVE-2026-41091

Local Privilege Escalation in Microsoft Defender
Loading...

Summary

Improper link resolution before file access ('link following') in Microsoft Defender allows a local authorized attacker to elevate privileges on Windows systems. The flaw affects the antimalware platform and malware protection engine, where Defender follows an attacker-controlled link or junction during privileged file access. A low-privilege local user can abuse that file-access path to reach SYSTEM-level control, and the CVE is being actively exploited in the wild.

Why Fix Soon?

5/6
Domain user required (treated as pre-auth on internal network)
Internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
domain user
PoC / Exploit
No
Impact

Gain SYSTEM-level privileges on the local Windows host.

Privilege Escalation
Exploitation Requirements
  • Authentication required (domain user)
Exploitation Process

A low-privilege local user places or prepares an attacker-controlled link, junction, or similar path object that Defender will process during a scan or file access. When the privileged Defender component resolves the path incorrectly, it follows the attacker-chosen target instead of the intended location. The attacker then leverages the privileged file access to perform an action that results in SYSTEM-level privilege escalation.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Defenderversions prior to 4.18.26040.7
Microsoft Malware Protection Engineversions prior to 1.1.26040.8
Description

Windows antimalware platform and malware protection engine used by Microsoft Defender Antivirus to scan files, detect threats, and enforce endpoint protection on Windows systems.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentFile-access and link-resolution handling in the Defender antimalware scanning path.

File-access and link-resolution handling in the Defender antimalware scanning path.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Update Microsoft Defender Antivirus to platform version 4.18.26040.7 and Microsoft Malware Protection Engine to 1.1.26040.8 or later using the Microsoft security update path.

Update Microsoft Defender Antivirus to platform version 4.18.26040.7 and Microsoft Malware Protection Engine to 1.1.26040.8 or later using the Microsoft security update path.

msrc.microsoft.com
Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
govcert.gov.hk
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-59 Link Following
|
NVD:CVE-2026-41091
|
Version From:1.1.26030.3008
|
Version Upto:1.1.26040.8

Affected Software (CPE) (1)

  • cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*

Sources

8
SourceArticle
www.cisa.govKnown Exploited Vulnerabilities Catalog
msrc.microsoft.comCVE-2026-41091
www.tenable.comCVE-2026-41091
dbugs.ptsecurity.comCVE-2026-41091 — Link Following in Malware Protection Engine
www.cyber.gc.caMicrosoft security advisory (AV26-489)
www.govcert.gov.hkHigh Threat Security Alert (A26-05-33): Multiple Vulnerabilities in Microsoft Products
www.cert.ssi.gouv.frMultiples vulnérabilités dans les produits Microsoft
www.microsoft.comSecurity intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware

Priority History

Fix SoonLoading...

Initial analysis