Microsoft Defender CVE-2026-41091 and CVE-2026-45498: CISA KEV Patch Guide

Short version: CISA added two Microsoft Defender issues to the Known Exploited Vulnerabilities catalog on May 20, 2026: CVE-2026-41091 and CVE-2026-45498. That makes this more than a normal “wait for the next maintenance window” Defender update. Windows workstations, Windows Server systems, hosting support machines, RDS servers, IIS boxes, Hyper-V hosts, domain controllers, file servers, and backup servers should be checked for current Microsoft Defender engine and platform versions.

The practical job is simple: update Microsoft Defender, verify the engine and platform versions, make sure Windows Server roles are not stranded in passive or stale security-intelligence state, and document the machines that handle customer files. This is especially important for hosting shops because admin workstations and shared file paths often become the bridge between customer uploads, backups, support tooling, and server management.

What CISA Added

• CVE-2026-41091 is a Microsoft Defender link-following vulnerability. NVD lists it as a high-severity local privilege escalation issue with CVSS 7.8. The affected Microsoft Malware Protection Engine range shown by NVD starts at 1.1.26030.3008 and ends before 1.1.26040.8.
• CVE-2026-45498 is a Microsoft Defender denial-of-service vulnerability. NVD and Microsoft currently show different scoring context, so admins should focus on the vendor update path and the CISA KEV deadline instead of arguing with the scanner. NVD lists the affected Microsoft Defender Antimalware Platform range as 4.18.26030.3011 through versions before 4.18.26040.7.
• CISA KEV date: May 20, 2026.
• CISA remediation deadline for federal systems: June 3, 2026. Private-sector admins should treat that as a useful urgency signal, not as a reason to wait.

CISA also added several older Windows, DirectX, Internet Explorer, and Adobe Acrobat/Reader CVEs in the same feed update. Those older entries matter most for legacy desktops, old application islands, lab machines, unmanaged VDI images, and customer environments that still carry unsupported software. For current hosting operations, the Defender items are the part to handle first.

Who Should Prioritize This

• Hosting support workstations that download customer files, inspect archives, run migrations, or open tickets with attachments.
• IIS and Windows hosting servers where Defender scans web roots, temporary upload folders, mail spools, and customer content.
• RDS and terminal servers used by technicians or customers, especially where many users share one Windows image.
• Hyper-V hosts and management machines because a Defender weakness on the admin plane can create ugly side effects for virtual infrastructure operations.
• Domain controllers, DNS servers, file servers, and backup servers because stale protection on those machines can turn a small endpoint problem into a larger recovery problem.
• Golden images and templates used for Windows desktops, jump boxes, lab systems, and customer support environments.

Safe Version Checks

On Windows systems where Microsoft Defender is present, check the Defender platform, engine, and signature state. These commands are read-only except for the optional update command.

Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, AntivirusSignatureLastUpdated, RealTimeProtectionEnabled

If the machine is allowed to update directly from Microsoft or your managed update path, refresh Defender security intelligence and platform components:

Update-MpSignature

Then run the version check again. For CVE-2026-41091, the Microsoft Malware Protection Engine should be outside the affected range ending before 1.1.26040.8. For CVE-2026-45498, the Microsoft Defender Antimalware Platform should be outside the affected range ending before 4.18.26040.7.

Patch Paths That Actually Work

• Windows Update: Use it for standalone workstations, small offices, and servers that are allowed to talk to Microsoft update services.
• WSUS: Approve Microsoft Defender Antivirus, Microsoft Defender Antivirus antimalware platform, security intelligence, and the relevant Windows cumulative updates. Do not only approve the monthly cumulative update and assume Defender components moved with it.
• Intune or RMM: Push Defender platform and security-intelligence updates, then collect version inventory. Pay extra attention to laptops that were offline during the last update wave.
• Microsoft Update Catalog or offline servicing: Use this for isolated servers, jump boxes, VDI templates, and maintenance networks where direct update traffic is not allowed.
• Golden images: Patch the base image, boot it once, update Defender, verify versions, then reseal. Do not clone stale Defender engines back into production.

Reboot And Maintenance Planning

Defender security-intelligence updates often do not require the same kind of reboot planning as a Windows cumulative update, but hosting admins should still plan this like real maintenance. Some machines will need a restart because they are also missing monthly Windows updates, servicing stack updates, driver updates, or pending reboots from earlier work.

• IIS servers: Update one server at a time behind the load balancer, drain active traffic first, then verify web services and application pools after the reboot.
• RDS servers: Notify users, stop new logons, drain sessions, update, reboot if required, and verify profile load plus line-of-business apps.
• Hyper-V hosts: Live migrate or shut down guests cleanly before host patching. Confirm replication, cluster health, and backup status before and after the work.
• Domain controllers: Patch one DC at a time. Verify replication, DNS, time sync, and authentication after each reboot.
• Backup servers: Avoid patching in the middle of backup windows. Confirm backup jobs, repository access, and restore-point visibility after updates.
• Admin workstations: Patch early. These machines touch the most sensitive customer paths and should not trail the server fleet.

Post-Update Verification

• Record the Defender engine version, platform version, signature version, and last update time.
• Confirm the machine is not stuck behind an old WSUS approval, broken proxy, expired TLS inspection rule, or disabled Defender update channel.
• Check for stale vulnerability scanner results after the next inventory sync. Defender component CVEs can continue to show until the scanner sees the updated engine and platform files.
• Review Defender operational events for update failures, disabled real-time protection, repeated service crashes, or tamper-protection changes.
• For servers handling customer files, spot-check upload directories, mail quarantine paths, backup staging paths, and support download folders for unusual executable content.
• For RDS and admin workstations, confirm that users cannot bypass endpoint controls by using old snapshots, offline clones, or unmanaged local accounts.

What To Tell Customers

A clean customer note can be short: Microsoft Defender received updates for two issues that CISA now tracks as known exploited vulnerabilities. Hosting systems, support workstations, and Windows Server roles are being updated and verified. Customer sites do not need to change application code, but customers should keep their own Windows endpoints current if they use RDP, file managers, FTP clients, or website backup downloads.

Sources

Related Fix I.T. Phill Windows guidance: Microsoft Defender CVE-2026-33825 patch guide and Windows Shell CVE-2026-32202 server patch guide.

• CISA KEV entry for CVE-2026-41091
• CISA KEV entry for CVE-2026-45498
• NVD CVE-2026-41091 record
• NVD CVE-2026-45498 record
• Microsoft MSRC CVE-2026-41091 advisory
• Microsoft MSRC CVE-2026-45498 advisory

Bottom line: update Defender, verify the exact engine and platform versions, and do not let admin workstations or Windows Server roles sit behind stale Defender components just because the monthly cumulative update looks complete.