Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure

Suspected
Discovered May 26, 2026

CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-45498 to KEV on 2026-05-20 with a due date of 2026-06-03 CISA KEV opens in a new tab. MSRC marks exploitation detected and identifies 4.18.26040.7 as the first fixed Microsoft Defender Antimalware Platform version, with 4.18.26030.3011 as the last affected platform version reference MSRC opens in a new tab.

Key Facts

Cve: CVE-2026-45498

Vendor: Microsoft

Product: Microsoft Defender Antimalware Platform

Kev Added: 2026-05-20

Kev Due: 2026-06-03

Vulnerability: Denial of service

Cwe:

  • CWE-400
  • NVD-CWE-noinfo

Affected Versions:

  • 4.18.26030.3011 <= platform < 4.18.26040.7

Fixed Versions:

  • 4.18.26040.7

Cvss V31: 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Msrc Exploited: true

Msrc Publicly Disclosed: true

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseDefender service crash, protection interruption, or platform failure appears on a host with affected platform version.Platform version, host, timestamped Defender/System event, and service state.Preserve Defender Operational and System events around the interruption.Platform is at least 4.18.26040.7 and service-crash audit has no unexplained failures.
Presumed exposedDefender platform is >= 4.18.26030.3011 and < 4.18.26040.7.Get-MpComputerStatus output or EDR inventory.Keep the host in scope until fixed platform verification succeeds.Version verifier returns in_affected_range: false.
Potentially exposedDefender exists but platform version is missing.Host inventory or scanner row naming Defender or CVE-2026-45498.Collect Defender platform version.Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedDefender platform is absent, disabled in a non-exploitable state per MSRC context, or version is at least 4.18.26040.7.Version output and Defender state.None for this CVE.Evidence is attached to the host record.
UnknownHost cannot provide Defender version or event exports.Gap statement naming missing hosts or telemetry.Keep high-value Windows hosts in scope.Evidence is recovered or the risk owner accepts the named gap.

What Happened

This is a local Defender Antimalware Platform denial-of-service issue. The closure anchor is exact platform version 4.18.26040.7 or newer.

Technical Analysis

MSRC classifies the issue as denial of service with local attack vector and no required privileges MSRC opens in a new tab. The useful detection path is platform version plus Defender service interruption telemetry. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Microsoft Defender
  • Microsoft Defender Antimalware Platform
  • CVE-2026-45498

Version Selectors:

  • affected_start: 4.18.26030.3011
  • fixed_platform: 4.18.26040.7

Windows Event Ids:

  • 5007
  • 5013
  • 7031
  • 7034

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following PowerShell script can be executed to apply mitigations or verify the patch status:

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-45498-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-45498"
$FixedPlatform = [version]"4.18.26040.7"
$AffectedStart = [version]"4.18.26030.3011"
$Status = Get-MpComputerStatus
$Platform = [version]$Status.AMProductVersion
$Closed = ($Platform -ge $FixedPlatform)

[pscustomobject]@{
  cve = $Cve
  computer = $env:COMPUTERNAME
  platform_version = $Status.AMProductVersion
  affected_start = "4.18.26030.3011"
  fixed_platform = "4.18.26040.7"
  closure_state = $Closed
  msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45498"
  remediation_trigger = "Platform version below 4.18.26040.7 on a host at or above 4.18.26030.3011 keeps CVE-2026-45498 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-45498-closure.json")

# Remediation trigger: platform version below 4.18.26040.7 on a host at or above 4.18.26030.3011 keeps CVE-2026-45498 open.
Write-Host "wrote $Out"

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026DiscoveryDiscovery recorded for Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure.msrc.microsoft.com
May 26, 2026First seenFirst seen recorded for Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure.msrc.microsoft.com
May 26, 2026DisclosureDisclosure recorded for Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure.msrc.microsoft.com
May 26, 2026Microsoft Defender CVE-2026-45498: KEV Platform DoS ExposureUnknownmsrc.microsoft.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabmsrc.microsoft.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-microsoft-defender-cve-2026-45498-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
msrc.microsoft.comSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.
nvd.nist.govSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.
cisa.govSecurity Researcher95%1CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.