TP-EXP-2026-0288 CVE-2026-41091 high Patched AI Draft

Microsoft Defender Link Following Vulnerability (CVE-2026-41091)

CVE CVE-2026-41091 Platform Microsoft Defender Type Link Following

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed May 19, 2026

Patched May 19, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 7/10 — Local attack vector (AV:L) with low privileges required (PR:L) and no user interaction (UI:N) per the Microsoft CVSS vector; exploitation requires an authorized local context and is limited to endpoints with vulnerable Microsoft Malware Protection Engine versions where Microsoft Defender is active.
Impact: 9/10 — Successful exploitation can result in SYSTEM-level privileges on the endpoint, as stated in the Microsoft advisory FAQ.
Weaponization Risk: 8/10 — MSRC records “Exploited: Yes” and “Latest software release: Exploitation Detected” at the time of advisory publication; CISA added the vulnerability to the KEV catalog the following day, confirming real-world exploitation.
Patch Urgency: 8/10 — CISA requires federal agencies to apply mitigations per vendor instructions or discontinue use by the 2026-06-03 due date; Microsoft Defender engine updates are delivered automatically in default configurations, but administrators must verify successful deployment to version 1.1.26040.8 or later.
Detection Coverage: 4/10 — Primary sources publish no static IOCs, file hashes, or detection signatures for the link-following primitive; detection depends primarily on confirming engine patch status and investigating local privilege escalation on exposed hosts.

Summary

CVE-2026-41091 is a link following vulnerability (CWE-59) in Microsoft Defender. The flaw is an instance of improper link resolution before file access (‘link following’) that allows an authorized attacker to elevate privileges locally. Microsoft assigns a CVSS 3.1 base score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and a temporal score of 6.8. The Microsoft Security Response Center classifies the advisory as Important with impact of Elevation of Privilege.

The affected component is the Microsoft Malware Protection Engine (mpengine.dll), which provides scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. The last affected version is 1.1.26030.3008; the first fixed version is 1.1.26040.8. According to the MSRC FAQ, successful exploitation could allow an attacker to gain SYSTEM privileges. Systems with Microsoft Defender disabled are not in an exploitable state, though scanners may still identify Defender binaries.

Microsoft released the advisory on 2026-05-19 with exploitation already detected. NVD published the record on 2026-05-20. CISA added CVE-2026-41091 to the Known Exploited Vulnerabilities catalog on 2026-05-20 with a due date of 2026-06-03. CISA lists known ransomware campaign use as Unknown. The vulnerability is tracked under the name “Microsoft Defender Link Following Vulnerability.”

Exploit Chain

Stage 1: Local Access

The vulnerability is local-only (AV:L) and requires an attacker to already possess a low-privileged authorized context on the target endpoint. Systems without Microsoft Defender enabled or running a fixed engine version are not affected.

Stage 2: Link Resolution Abuse

An authorized local attacker abuses improper link resolution before file access (‘link following’, CWE-59) in Microsoft Defender. No further public details on the specific link target, symbolic link handling, or precise code path within mpengine.dll are provided in the CISA, NVD, or MSRC records.

Stage 3: Privilege Escalation

By triggering the improper link resolution, the attacker achieves local privilege escalation. Microsoft states in the advisory FAQ that successful exploitation could allow an attacker to gain SYSTEM privileges.

Detection Guidance

Verify that the Microsoft Malware Protection Engine version is 1.1.26040.8 or later on all endpoints. In default configurations, Microsoft antimalware software updates the engine and definitions automatically; administrators should still confirm successful deployment across managed systems.
Apply mitigations per Microsoft instructions. If updates cannot be applied, follow applicable CISA BOD 22-01 guidance for cloud services or discontinue use of the affected product.
Note that disabling Microsoft Defender removes the exploitable surface for this vulnerability, although security scanners may still flag the presence of older Defender binaries on disk.
Monitor Microsoft release notes and update channels for the Microsoft Malware Protection Engine to ensure fleet-wide compliance ahead of the CISA 2026-06-03 deadline for applicable organizations.
For defense-in-depth, investigate unexpected local privilege escalation activity on systems that were running vulnerable Microsoft Defender engine versions.
In managed environments, review update compliance dashboards and audit logs for any endpoints that did not receive the automatic engine update.

Indicators of Compromise

No static indicators of compromise (file hashes, filenames, registry keys, network artifacts, or YARA signatures) are published in the CISA KEV entry, NVD record, or MSRC advisory for CVE-2026-41091.

The primary indicators are operational and behavioral:

Unpatched Microsoft Malware Protection Engine versions, including the last affected version 1.1.26030.3008, on endpoints where local attackers had an authorized foothold.
Local privilege escalation activity resulting in SYSTEM-level access on systems running vulnerable Defender engine versions.
Post-exploitation artifacts on endpoints that remained exposed between the 2026-05-19 disclosure and the application of engine version 1.1.26040.8 or later.

Because the authoritative sources do not release weaponized samples or stable IOCs, signature-based detection for this specific vulnerability is not supported by public data. Prioritize patch compliance verification and behavioral monitoring of privilege boundaries.

Disclosure Timeline

2026-05-19 — Initial disclosure and patch availability

Microsoft Security Response Center publishes the advisory for CVE-2026-41091 (Microsoft Defender Elevation of Privilege Vulnerability). Release date 2026-05-19T07:00:00-07:00. The record indicates exploitation had been detected. Revision v1 published. The fix is included in Microsoft Malware Protection Engine version 1.1.26040.8.

2026-05-20 — NVD publication and CISA KEV addition

NVD publishes the CVE detail record (published 2026-05-20T13:16:29.173Z, last modified 2026-05-20T19:06:36.850Z) with CVSS 3.1 7.8 HIGH from Microsoft and CWE-59. CISA adds CVE-2026-41091 to the Known Exploited Vulnerabilities catalog. Date added 2026-05-20; due date 2026-06-03. Vulnerability name “Microsoft Defender Link Following Vulnerability” and short description published. Required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance, or discontinue use if mitigations are unavailable.

2026-05-26 — MSRC informational revision

Microsoft publishes revision v1.1 with informational changes and addition of release-note links. Latest revision date 2026-05-26T07:00:00-07:00.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-20
National Vulnerability Database: CVE-2026-41091 Detail — National Vulnerability Database, 2026-05-20
Microsoft Security Response Center: CVE-2026-41091 Security Update Guide — Microsoft Security Response Center, 2026-05-19