CVE-2026-45498

What is Microsoft Defender's Antimalware Platform?

Microsoft Defender's Antimalware Platform (the collection of user-mode scanning binaries and kernel-mode drivers, versioned as the platform layer distinct from the signature database and detection engine) handles file scanning, process inspection, and real-time protection on Windows. Because Defender is always-on and processes content from every source — email attachments, downloaded files, network traffic, and user-mode activity — it is a high-value target for denial-of-service attacks. A DoS against a security tool is qualitatively different from a DoS against a productivity application: disabling an antivirus creates a detection blind spot that attackers can exploit to deliver payloads or execute follow-on actions without triggering alerts.

Overview

CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender's Antimalware Platform. An attacker can craft a specially formed file or payload that, when scanned by Defender, triggers a resource-exhaustion or crash condition in the scan engine — impairing or disabling Defender's real-time protection without requiring any privileges. Microsoft patched it on May 20, 2026 (May 2026 Patch Tuesday), confirming active exploitation at patch time. CISA added it to KEV the same day alongside CVE-2026-41091 (Defender LPE), suggesting both are used together in a coordinated attack chain.

Despite its moderate CVSS score (4.0), CISA's KEV addition reflects that a security tool DoS exploited in combination with a privilege escalation is operationally significant — the DoS creates a window in which defenders are blind while the LPE completes.

Affected Versions

Note: Antimalware Platform updates deliver automatically via Windows Update — most systems patch silently within hours of the engine update release.

Technical Details

Insufficient input validation in Microsoft Defender's Antimalware Platform scanning pipeline. A specially crafted file — such as a malformed email attachment, archive, or network-delivered payload — causes the Defender scan engine to enter a resource-exhaustion or unhandled error state when processing the malicious content. The result is a crash or sustained impairment of the real-time protection component.

The PR:N (No Privileges Required) CVSS rating reflects that the attacker does not need a local user account to trigger the DoS — a malicious file can be delivered to the system via email, download, or network share, and Defender's on-access scanning will process it automatically without any user interaction beyond file delivery. This is notably different from most local DoS vulnerabilities that require the attacker to already have an authenticated session.

The operational threat model for this CVE is as a prerequisite for CVE-2026-41091 (Defender LPE): disable Defender's detection capability first, then execute the privilege escalation while Defender cannot detect or block the exploit artifacts.

Discovery

No researcher has been publicly credited for reporting CVE-2026-45498 to Microsoft. Both CVE-2026-45498 and CVE-2026-41091 were acknowledged as actively exploited at patch time, suggesting they were discovered during threat intelligence investigation or incident response rather than through proactive vulnerability research.

Exploitation Context

Microsoft confirmed active in-the-wild exploitation of CVE-2026-45498 at the time of the May 2026 Patch Tuesday release. No specific threat actor, ransomware group, or nation-state has been publicly attributed.

CVE-2026-45498 and CVE-2026-41091 (Defender LPE) were patched together and added to KEV together — a pattern consistent with coordinated exploitation as a two-stage chain:

1. CVE-2026-45498 crashes or disables Defender's real-time protection, creating a detection blind spot
2. CVE-2026-41091 exploits Defender's scan engine symlink handling to escalate from a low-privilege user to SYSTEM while Defender is impaired

This attack pattern — disabling the security tool before exploiting it — is particularly difficult for endpoint defenders to detect because the telemetry source (Defender) is impaired during the attack window.

Remediation

1. Verify that Microsoft Defender's Antimalware Platform is at version 4.18.26040.7 or later (Windows Security → Virus & threat protection → Protection updates → Check for updates; or PowerShell: Get-MpComputerStatus | Select-Object -ExpandProperty AMProductVersion).
2. Ensure Windows Automatic Updates are enabled — Antimalware Platform updates deliver automatically and most systems will patch within hours without manual action.
3. For enterprise environments: verify Defender platform updates are not blocked by WSUS/SCCM policies — platform updates require a separate delivery path from Windows cumulative updates.
4. Also apply the fix for CVE-2026-41091 (Defender LPE), which is likely chained with this DoS in active exploitation.
5. Monitor Defender health dashboards (Microsoft Defender for Endpoint, Intune, or local Windows Security Center) for unexpected protection status changes — sudden transitions from "Protected" to "Action Required" on endpoints may indicate DoS exploitation.

See Also

This CVE is part of a pattern of Microsoft Defender vulnerabilities in CISA KEV and was actively chained with CVE-2026-41091 (Defender LPE) in exploitation. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.