CVE-2026-41091

What is Microsoft Defender's Malware Protection Engine?

Microsoft Defender (formerly Windows Defender) is the built-in antivirus and endpoint protection product included with all modern Windows versions. At its core is the Malware Protection Engine (MMPE / MpEngine.dll), the component responsible for scanning files, processes, registry entries, and other system artifacts for malicious content. Because Defender operates with SYSTEM privileges to scan protected system locations, vulnerabilities in the scan engine that mishandle file system operations — such as improperly following symbolic links — can be exploited by a low-privilege attacker to gain SYSTEM-level access. The same class of bug (link following in security tools) has been exploited repeatedly in Defender and other AV products because the elevated scanning context makes even small file-access mistakes high-impact.

Overview

CVE-2026-41091 is a link-following privilege escalation vulnerability in Microsoft Defender's Malware Protection Engine. A low-privilege local attacker can create a symbolic link from an unprivileged location to a sensitive system file (such as a registry hive). When Defender's scan engine resolves the link and accesses the target file without validating the symlink chain, it does so with SYSTEM privileges — allowing the attacker to read or overwrite the target and escalate to full SYSTEM control. Microsoft patched it on May 20, 2026 (May 2026 Patch Tuesday), confirming active exploitation at patch time. CISA added it to KEV the same day.

CVE-2026-41091 is contextually linked to the BlueHammer exploit chain (CVE-2026-33825), a related Defender link-following vulnerability that was publicly disclosed via PoC in April 2026. Both target the same underlying attack surface — MMPE's improper symlink resolution when scanning files in user-controlled locations.

Affected Versions

Note: Defender engine updates deliver automatically via Windows Update — most systems patch silently within hours of the engine update release without requiring manual intervention.

Technical Details

CWE-59 (Improper Link Resolution Before File Access). The Malware Protection Engine scans files by resolving their paths and opening them with elevated privileges. A flaw in how MMPE resolves symbolic links allows an attacker to create a symlink at a path accessible to a low-privilege process (e.g., within %TEMP% or a user-writable directory) pointing to a sensitive system file such as C:\Windows\System32\config\SAM (the registry hive storing local account password hashes).

When Defender's scan engine processes the attacker-controlled path, it follows the symlink without proper validation and accesses the target file with SYSTEM privileges. Depending on the target, the attacker can:

• Read sensitive files inaccessible to normal users (credential extraction from SAM hive)
• Write to or overwrite protected system files (arbitrary file write as SYSTEM → code execution)

The PR:L (Low Privileges Required) reflects that an existing low-privilege local process is sufficient — no administrator access is needed. The attack is closely related to the BlueHammer technique (CVE-2026-33825) that was publicly demonstrated in April 2026.

Discovery

No researcher was publicly credited for reporting CVE-2026-41091 to Microsoft. The vulnerability is thematically linked to the BlueHammer exploit chain (CVE-2026-33825), which was reported by researchers Zen Dodd and Yuanpei Xu and subsequently demonstrated publicly by a researcher known as "Chaotic Eclipse" on April 3, 2026. Microsoft's confirmation of active exploitation at patch time suggests the vulnerability was identified during incident response or threat intelligence investigation rather than proactive disclosure.

Exploitation Context

Microsoft confirmed active in-the-wild exploitation of CVE-2026-41091 at the time of the May 2026 Patch Tuesday release. No specific threat actor, ransomware group, or nation-state has been publicly attributed. The exploit is a local privilege escalation — it requires an attacker to already have code execution as a standard user on the target machine, making it a second-stage component typically used after initial access is established via phishing, a remote exploit, or other means.

CVE-2026-41091 and CVE-2026-45498 (Defender DoS) were patched simultaneously and added to KEV together, suggesting they may be used in a combined attack chain: CVE-2026-45498 disables Defender's detection capabilities to create a blind spot, then CVE-2026-41091 is used to escalate privileges to SYSTEM while Defender is impaired.

Remediation

1. Verify that Microsoft Defender's Malware Protection Engine is at version 1.1.26040.8 or later (Windows Security → Virus & threat protection → Protection updates → Check for updates; or PowerShell: Get-MpComputerStatus | Select-Object -ExpandProperty AMEngineVersion).
2. Ensure Windows Automatic Updates are enabled — Defender engine updates deliver automatically and most systems will patch within hours of the engine update release without manual action.
3. For enterprise environments: confirm that Windows Update is not blocked for Defender engine updates on endpoints where WSUS/SCCM is controlling Windows patches — engine updates require a separate delivery path.
4. Also apply the fix for CVE-2026-45498 (Defender DoS), which may be chained with this LPE in active attack scenarios.
5. Review endpoint logs for unexpected SYSTEM-level process executions or file access anomalies in C:\Windows\System32\config\ from non-SYSTEM processes as an indicator of exploitation.

See Also

This CVE is part of a pattern of Microsoft Defender vulnerabilities in CISA KEV and was actively chained with CVE-2026-45498 (Defender DoS) in exploitation. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.