medium
Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure
CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.
On this page 0% read
Executive Summary
CISA added CVE-2026-45498 to KEV on 2026-05-20 with a due date of 2026-06-03 CISA KEV. MSRC marks exploitation detected and identifies 4.18.26040.7 as the first fixed Microsoft Defender Antimalware Platform version, with 4.18.26030.3011 as the last affected platform version reference MSRC.
Key Facts
cve: "CVE-2026-45498"
vendor: "Microsoft"
product: "Microsoft Defender Antimalware Platform"
kev_added: "2026-05-20"
kev_due: "2026-06-03"
vulnerability: "Denial of service"
cwe: ["CWE-400", "NVD-CWE-noinfo"]
affected_versions: ["4.18.26030.3011 <= platform < 4.18.26040.7"]
fixed_versions: ["4.18.26040.7"]
cvss_v31: "4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
msrc_exploited: true
msrc_publicly_disclosed: trueSource Confidence & Evidence Mapping
- confirmed: CISA KEV lists CVE-2026-45498 as known exploited CISA KEV.
- confirmed: MSRC marks exploitation detected and lists platform version 4.18.26040.7 as the first fixed version MSRC.
- confirmed: NVD lists CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LNVD.
Impact Determination
| Classification | Criteria | Required evidence | Remediation trigger | Closure condition |
|---|---|---|---|---|
| Confirmed compromise | Defender service crash, protection interruption, or platform failure appears on a host with affected platform version. | Platform version, host, timestamped Defender/System event, and service state. | Preserve Defender Operational and System events around the interruption. | Platform is at least 4.18.26040.7 and service-crash audit has no unexplained failures. |
| Presumed exposed | Defender platform is >= 4.18.26030.3011 and < 4.18.26040.7. | Get-MpComputerStatus output or EDR inventory. | Keep the host in scope until fixed platform verification succeeds. | Version verifier returns in_affected_range: false. |
| Potentially exposed | Defender exists but platform version is missing. | Host inventory or scanner row naming Defender or CVE-2026-45498. | Collect Defender platform version. | Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown. |
| Not exposed | Defender platform is absent, disabled in a non-exploitable state per MSRC context, or version is at least 4.18.26040.7. | Version output and Defender state. | None for this CVE. | Evidence is attached to the host record. |
| Unknown | Host cannot provide Defender version or event exports. | Gap statement naming missing hosts or telemetry. | Keep high-value Windows hosts in scope. | Evidence is recovered or the risk owner accepts the named gap. |
Timeline
- 2026-05-19: MSRC publishes CVE-2026-45498 with exploitation detected MSRC.
- 2026-05-20: CISA adds CVE-2026-45498 to KEV with due date 2026-06-03 CISA KEV.
- 2026-05-20: NVD publication timestamp for CVE-2026-45498 NVD.
What Happened
This is a local Defender Antimalware Platform denial-of-service issue. The closure anchor is exact platform version 4.18.26040.7 or newer.
Technical Analysis
MSRC classifies the issue as denial of service with local attack vector and no required privileges MSRC. The useful detection path is platform version plus Defender service interruption telemetry.
Affected Assets and Blast Radius
asset_selectors:
- "Microsoft Defender"
- "Microsoft Defender Antimalware Platform"
- "CVE-2026-45498"
version_selectors:
affected_start: "4.18.26030.3011"
fixed_platform: "4.18.26040.7"
windows_event_ids:
- 5007
- 5013
- 7031
- 7034Indicators And Detection Selectors
cves: ["CVE-2026-45498"]
product: "Microsoft Defender Antimalware Platform"
affected_platform_range: "4.18.26030.3011 <= platform < 4.18.26040.7"
fixed_platform: "4.18.26040.7"
telemetry_selectors:
- "MsMpEng.exe"
- "EventID 5007"
- "EventID 5013"
- "EventID 7031"
- "EventID 7034"Detection and Hunting
$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-45498-hunt" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null
$Cve = "CVE-2026-45498"
$AffectedStart = [version]"4.18.26030.3011"
$FixedPlatform = [version]"4.18.26040.7"
$Status = Get-MpComputerStatus
$Platform = [version]$Status.AMProductVersion
$InAffectedRange = ($Platform -ge $AffectedStart -and $Platform -lt $FixedPlatform)
$Since = (Get-Date).AddDays(-14)
$DefenderEvents = Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Windows Defender/Operational"; Id=5007,5013; StartTime=$Since} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, ProviderName, Message
$ServiceEvents = Get-WinEvent -FilterHashtable @{LogName="System"; Id=7031,7034; StartTime=$Since} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match "Microsoft Defender|WinDefend|MsMpEng.exe|CVE-2026-45498|4.18.26030.3011|4.18.26040.7" } |
Select-Object TimeCreated, Id, ProviderName, Message
[pscustomobject]@{
cve = $Cve
computer = $env:COMPUTERNAME
platform_version = $Status.AMProductVersion
affected_start = "4.18.26030.3011"
fixed_platform = "4.18.26040.7"
in_affected_range = $InAffectedRange
positive_signal = "in_affected_range true plus Defender Operational 5007/5013 or System 7031/7034 service failures after 2026-05-19"
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-45498-host-state.json")
$DefenderEvents | Export-Csv -NoTypeInformation -Path (Join-Path $Out "defender-operational-5007-5013.csv")
$ServiceEvents | Export-Csv -NoTypeInformation -Path (Join-Path $Out "system-7031-7034-defender.csv")
# Positive signal: in_affected_range true plus Defender Operational 5007/5013 or System 7031/7034 service failures after 2026-05-19.
Write-Host "wrote $Out"Patch, Mitigation, and Verification
$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-45498-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null
$Cve = "CVE-2026-45498"
$FixedPlatform = [version]"4.18.26040.7"
$AffectedStart = [version]"4.18.26030.3011"
$Status = Get-MpComputerStatus
$Platform = [version]$Status.AMProductVersion
$Closed = ($Platform -ge $FixedPlatform)
[pscustomobject]@{
cve = $Cve
computer = $env:COMPUTERNAME
platform_version = $Status.AMProductVersion
affected_start = "4.18.26030.3011"
fixed_platform = "4.18.26040.7"
closure_state = $Closed
msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45498"
remediation_trigger = "Platform version below 4.18.26040.7 on a host at or above 4.18.26030.3011 keeps CVE-2026-45498 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "defender-cve-2026-45498-closure.json")
# Remediation trigger: platform version below 4.18.26040.7 on a host at or above 4.18.26030.3011 keeps CVE-2026-45498 open.
Write-Host "wrote $Out"Downstream Abuse Audits
$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-defender-cve-2026-45498-downstream" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null
$Cve = "CVE-2026-45498"
$Since = (Get-Date).AddDays(-14)
$Events = Get-WinEvent -FilterHashtable @{LogName="System"; Id=7031,7034,7040; StartTime=$Since} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match "WinDefend|Microsoft Defender|MsMpEng.exe|CVE-2026-45498|4.18.26030.3011|4.18.26040.7" } |
Select-Object TimeCreated, Id, ProviderName, Message
$Events | Export-Csv -NoTypeInformation -Path (Join-Path $Out "defender-cve-2026-45498-service-events.csv")
# Positive signal: Defender service termination or protection-state changes on an affected platform version.
# Remediation trigger: unexplained Defender interruption keeps the host in scope for service-state and protection-gap analysis.
Write-Host "wrote $Out for $Cve"