Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure

Executive Summary

CISA added CVE-2026-41091 to KEV on 2026-05-20 with a due date of 2026-06-03 CISA KEV. MSRC marks exploitation detected and identifies the first fixed Microsoft Malware Protection Engine version as 1.1.26040.8, with 1.1.26030.3008 as the last affected version reference MSRC.

Key Facts

cve: "CVE-2026-41091"
vendor: "Microsoft"
product: "Microsoft Defender Malware Protection Engine"
kev_added: "2026-05-20"
kev_due: "2026-06-03"
vulnerability: "Link following elevation of privilege"
cwe: ["CWE-59"]
affected_versions: ["1.1.26030.3008 <= engine < 1.1.26040.8"]
fixed_versions: ["1.1.26040.8"]
cvss_v31: "7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
msrc_exploited: true
msrc_publicly_disclosed: true

Source Confidence & Evidence Mapping

• confirmed: CISA KEV lists CVE-2026-41091 as known exploited CISA KEV.
• confirmed: MSRC marks exploitation detected and lists engine version 1.1.26040.8 as the first fixed version MSRC.
• confirmed: NVD lists CWE-59 and CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H NVD.

Impact Determination

Classification	Criteria	Required evidence	Remediation trigger	Closure condition
Confirmed compromise	Host telemetry shows local privilege escalation or SYSTEM-level follow-on activity on a host with affected Defender engine version.	Engine version, host, event timestamp, local user context, and privilege-change evidence.	Preserve Security, System, Defender Operational, process, service, and task telemetry.	Engine is at least 1.1.26040.8 and downstream local-privilege audit has no unexplained events.
Presumed exposed	Defender engine is >= 1.1.26030.3008 and < 1.1.26040.8.	Get-MpComputerStatus output or EDR inventory.	Keep the host in scope until fixed engine verification succeeds.	Version verifier returns in_affected_range: false.
Potentially exposed	Microsoft Defender is present but engine version is missing.	Host inventory or scanner row naming Defender or CVE-2026-41091.	Collect Defender engine version.	Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposed	Defender engine is absent, disabled in a non-exploitable state per MSRC context, or version is at least 1.1.26040.8.	Version output and Defender state.	None for this CVE.	Evidence is attached to the host record.
Unknown	Host cannot provide Defender version or relevant Windows event exports.	Gap statement naming missing hosts or telemetry.	Keep high-value Windows hosts in scope.	Evidence is recovered or the risk owner accepts the named gap.

Timeline

• 2026-05-19: MSRC publishes CVE-2026-41091 with exploitation detected MSRC.
• 2026-05-20: CISA adds CVE-2026-41091 to KEV with due date 2026-06-03 CISA KEV.
• 2026-05-20: NVD publication timestamp for CVE-2026-41091 NVD.

What Happened

This is a local elevation-of-privilege issue in Microsoft Defender’s Malware Protection Engine. The strongest closure artifact is the engine version: 1.1.26040.8 or newer.

Technical Analysis

MSRC describes a link-following vulnerability that allows an authorized local attacker to gain SYSTEM privileges MSRC. The scripts focus on exact engine version and local privilege-change telemetry.

Affected Assets and Blast Radius

asset_selectors:
  - "Microsoft Defender"
  - "Microsoft Malware Protection Engine"
  - "CVE-2026-41091"
version_selectors:
  affected_start: "1.1.26030.3008"
  fixed_engine: "1.1.26040.8"
windows_event_ids:
  - 4688
  - 4698
  - 4732
  - 7045
privilege_context:
  - "SYSTEM privileges"
  - "local administrators group changes"
  - "new services"
  - "new scheduled tasks"

Indicators And Detection Selectors

cves: ["CVE-2026-41091"]
product: "Microsoft Defender Malware Protection Engine"
affected_engine_range: "1.1.26030.3008 <= engine < 1.1.26040.8"
fixed_engine: "1.1.26040.8"
telemetry_selectors:
  - "EventID 4688"
  - "EventID 4698"
  - "EventID 4732"
  - "EventID 7045"

Detection and Hunting

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-41091-hunt" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-41091"
$AffectedStart = [version]"1.1.26030.3008"
$FixedEngine = [version]"1.1.26040.8"
$Status = Get-MpComputerStatus
$Engine = [version]$Status.AMEngineVersion
$InAffectedRange = ($Engine -ge $AffectedStart -and $Engine -lt $FixedEngine)

$Since = (Get-Date).AddDays(-14)
$SecurityIds = 4688,4698,4732
$SystemIds = 7045

$Security = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=$SecurityIds; StartTime=$Since} -ErrorAction SilentlyContinue |
  Select-Object TimeCreated, Id, ProviderName, Message
$System = Get-WinEvent -FilterHashtable @{LogName="System"; Id=$SystemIds; StartTime=$Since} -ErrorAction SilentlyContinue |
  Select-Object TimeCreated, Id, ProviderName, Message

$Result = [ordered]@{
  cve = $Cve
  computer = $env:COMPUTERNAME
  engine_version = $Status.AMEngineVersion
  affected_start = "1.1.26030.3008"
  fixed_engine = "1.1.26040.8"
  in_affected_range = $InAffectedRange
  searched_event_ids = @(4688,4698,4732,7045)
  positive_signal = "in_affected_range true plus local privilege-change events 4688, 4698, 4732, or 7045 after 2026-05-19"
}
$Result | ConvertTo-Json -Depth 5 | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-41091-host-state.json")
$Security | Export-Csv -NoTypeInformation -Path (Join-Path $Out "security-4688-4698-4732.csv")
$System | Export-Csv -NoTypeInformation -Path (Join-Path $Out "system-7045.csv")

# Positive signal: in_affected_range true plus local privilege-change events 4688, 4698, 4732, or 7045 after 2026-05-19.
Write-Host "wrote $Out"

Patch, Mitigation, and Verification

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-41091-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-41091"
$FixedEngine = [version]"1.1.26040.8"
$AffectedStart = [version]"1.1.26030.3008"
$Status = Get-MpComputerStatus
$Engine = [version]$Status.AMEngineVersion
$Closed = ($Engine -ge $FixedEngine)

[pscustomobject]@{
  cve = $Cve
  computer = $env:COMPUTERNAME
  engine_version = $Status.AMEngineVersion
  affected_start = "1.1.26030.3008"
  fixed_engine = "1.1.26040.8"
  closure_state = $Closed
  msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091"
  remediation_trigger = "Engine version below 1.1.26040.8 on a host at or above 1.1.26030.3008 keeps CVE-2026-41091 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-41091-closure.json")

# Remediation trigger: engine version below 1.1.26040.8 on a host at or above 1.1.26030.3008 keeps CVE-2026-41091 open.
Write-Host "wrote $Out"

Downstream Abuse Audits

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-41091-downstream" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-41091"
$Since = (Get-Date).AddDays(-14)
$Events = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4688,4698,4732,4670; StartTime=$Since} -ErrorAction SilentlyContinue |
  Where-Object { $_.Message -match "SYSTEM|Administrators|Task Scheduler|Service Control|CVE-2026-41091|1.1.26030.3008|1.1.26040.8" } |
  Select-Object TimeCreated, Id, ProviderName, Message

$Events | Export-Csv -NoTypeInformation -Path (Join-Path $Out "defender-cve-2026-41091-downstream-events.csv")

# Positive signal: local administrator changes, SYSTEM process creation, scheduled task creation, or permission changes after exposure on an affected engine.
# Remediation trigger: unexplained privilege-change events keep local accounts and host persistence mechanisms in scope.
Write-Host "wrote $Out for $Cve"

Sources

1. CISA Known Exploited Vulnerabilities catalog JSON
2. MSRC CVE-2026-41091
3. NVD CVE-2026-41091