Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure

Suspected
Discovered May 26, 2026

CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-41091 to KEV on 2026-05-20 with a due date of 2026-06-03 CISA KEV opens in a new tab. MSRC marks exploitation detected and identifies the first fixed Microsoft Malware Protection Engine version as 1.1.26040.8, with 1.1.26030.3008 as the last affected version reference MSRC opens in a new tab.

Key Facts

Cve: CVE-2026-41091

Vendor: Microsoft

Product: Microsoft Defender Malware Protection Engine

Kev Added: 2026-05-20

Kev Due: 2026-06-03

Vulnerability: Link following elevation of privilege

Cwe:

  • CWE-59

Affected Versions:

  • 1.1.26030.3008 <= engine < 1.1.26040.8

Fixed Versions:

  • 1.1.26040.8

Cvss V31: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Msrc Exploited: true

Msrc Publicly Disclosed: true

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseHost telemetry shows local privilege escalation or SYSTEM-level follow-on activity on a host with affected Defender engine version.Engine version, host, event timestamp, local user context, and privilege-change evidence.Preserve Security, System, Defender Operational, process, service, and task telemetry.Engine is at least 1.1.26040.8 and downstream local-privilege audit has no unexplained events.
Presumed exposedDefender engine is >= 1.1.26030.3008 and < 1.1.26040.8.Get-MpComputerStatus output or EDR inventory.Keep the host in scope until fixed engine verification succeeds.Version verifier returns in_affected_range: false.
Potentially exposedMicrosoft Defender is present but engine version is missing.Host inventory or scanner row naming Defender or CVE-2026-41091.Collect Defender engine version.Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedDefender engine is absent, disabled in a non-exploitable state per MSRC context, or version is at least 1.1.26040.8.Version output and Defender state.None for this CVE.Evidence is attached to the host record.
UnknownHost cannot provide Defender version or relevant Windows event exports.Gap statement naming missing hosts or telemetry.Keep high-value Windows hosts in scope.Evidence is recovered or the risk owner accepts the named gap.

What Happened

This is a local elevation-of-privilege issue in Microsoft Defender's Malware Protection Engine. The strongest closure artifact is the engine version: 1.1.26040.8 or newer.

Technical Analysis

MSRC describes a link-following vulnerability that allows an authorized local attacker to gain SYSTEM privileges MSRC opens in a new tab. The scripts focus on exact engine version and local privilege-change telemetry. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Microsoft Defender
  • Microsoft Malware Protection Engine
  • CVE-2026-41091

Version Selectors:

  • affected_start: 1.1.26030.3008
  • fixed_engine: 1.1.26040.8

Windows Event Ids:

  • 4688
  • 4698
  • 4732
  • 7045

Privilege Context:

  • SYSTEM privileges
  • local administrators group changes
  • new services
  • new scheduled tasks

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following PowerShell script can be executed to apply mitigations or verify the patch status:

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-41091-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-41091"
$FixedEngine = [version]"1.1.26040.8"
$AffectedStart = [version]"1.1.26030.3008"
$Status = Get-MpComputerStatus
$Engine = [version]$Status.AMEngineVersion
$Closed = ($Engine -ge $FixedEngine)

[pscustomobject]@{
  cve = $Cve
  computer = $env:COMPUTERNAME
  engine_version = $Status.AMEngineVersion
  affected_start = "1.1.26030.3008"
  fixed_engine = "1.1.26040.8"
  closure_state = $Closed
  msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091"
  remediation_trigger = "Engine version below 1.1.26040.8 on a host at or above 1.1.26030.3008 keeps CVE-2026-41091 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-41091-closure.json")

# Remediation trigger: engine version below 1.1.26040.8 on a host at or above 1.1.26030.3008 keeps CVE-2026-41091 open.
Write-Host "wrote $Out"

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026DisclosureDisclosure recorded for Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure.nvd.nist.gov
May 26, 2026DiscoveryDiscovery recorded for Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure.nvd.nist.gov
May 26, 2026First seenFirst seen recorded for Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure.nvd.nist.gov
May 26, 2026Microsoft Defender CVE-2026-41091: KEV Engine EoP ExposureUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-microsoft-defender-cve-2026-41091-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.
msrc.microsoft.comSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.
cisa.govSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.