Microsoft Defender, Elevation of Privilege, CVE-2026-41091 (HIGH)

Listen to this Post

How the mentioned CVE works (around 20 lines)

CVE-2026-41091 is a high-severity (CVSS 7.8) local privilege escalation vulnerability in Microsoft Defender. The flaw resides in the Microsoft Malware Protection Engine (MMPE) versions prior to 1.1.26040.8. It occurs when Defender improperly resolves symbolic links during file access, leading to a link-following vulnerability. Specifically, when Defender processes a file via a symbolic link, it fails to validate the target path adequately. An authenticated low-privilege user can create a malicious symbolic link pointing to a protected system resource. When Defender later accesses this link, it follows the link and operates on the unintended target with its high privileges. This violates the principle of least privilege and bypasses normal access controls. The vulnerability is particularly dangerous because Defender runs with SYSTEM-level privileges. By manipulating Defender into following a crafted link, an attacker can force it to read, write, or delete arbitrary system files. For example, an attacker could redirect Defender’s log file write operation to overwrite a critical system file. This can lead to full system compromise without any user interaction. The attack vector is local, requires low privileges, and has high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access). Microsoft has addressed the issue by implementing proper path validation and link resolution controls in the MMPE update.

dailycve form

Platform: Microsoft Defender
Version: <1.1.26040.8
Vulnerability: Improper link resolution
Severity: HIGH
date: 2026-05-20

Prediction: 2026-05-27

Analytics under heading What Undercode Say:

Check MMPE version (PowerShell):

Get-MpComputerStatus | select AMEngineVersion

List suspicious symbolic links (cmd):

dir /AL /S C:\Users\Public

Monitor Defender file access (Sysmon):

sysmon -accepteula -i "Event ID: 11 (FileCreate)"

Detect link-following attempts (PowerShell):

Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | Where-Object {$_.Message -like "symbolic link"}

Check for missing patches (PowerShell):

Get-HotFix | where HotFixID -like "KB5" | Format-List

Exploit:

An authenticated low-privilege attacker creates a symbolic link from a non-protected location to a sensitive system file (e.g., C:\Windows\System32\config\SAM). When the Microsoft Defender scan engine processes the link without proper validation, it follows the link and accesses the target file with SYSTEM privileges. The attacker can then leverage this to read or modify the target file, escalating privileges to SYSTEM level and potentially gaining full control over the system.

Protection from this CVE

  1. Update Microsoft Malware Protection Engine to version 1.1.26040.8 or later via Windows Update or the Microsoft Update Catalog.
  2. Restrict symbolic link creation using Group Policy: set `SeCreateSymbolicLinkPrivilege` to only administrators.
  3. Enable Windows Defender Attack Surface Reduction (ASR) rules to block untrusted symbolic link usage.
  4. Monitor Defender logs for unusual file access patterns or link-following events.
  5. Apply principle of least privilege – limit user permissions to reduce attack surface.

Impact

Successful exploitation allows a local low-privileged attacker to gain SYSTEM-level privileges on the affected machine. This results in complete system compromise, enabling the attacker to:
– Modify or delete any system file
– Install persistent malware
– Disable security software
– Exfiltrate sensitive data such as the SAM hive
– Use the compromised host as a pivot point for further network attacks

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top