Introduction
An actively exploited link following flaw in the Microsoft Malware Protection Engine lets any local user with low privileges escalate to SYSTEM, turning a foothold into full host compromise without any user interaction. Given that Microsoft Defender holds the largest share of the modern endpoint security market, the sheer number of potentially affected systems makes this vulnerability particularly noteworthy for defenders and incident responders alike.
Technical Information
Root Cause
CVE-2026-41091 falls under CWE-59: Improper Link Resolution Before File Access, commonly referred to as "link following." The Microsoft Malware Protection Engine, which underpins Microsoft Defender, runs as a highly privileged SYSTEM service. When the engine performs file operations, it resolves filenames without adequately verifying whether those filenames point to symbolic links, junctions, or shortcuts that redirect to unintended resources.
This class of vulnerability is well understood in the Windows privilege escalation landscape. A low privilege user can create a symbolic link or NTFS junction in a location where the Defender engine performs file operations. Because the engine does not validate the link target before acting on it, the resulting file operation (write, delete, or permission change) is carried out with SYSTEM privileges against whatever resource the link points to.
CVSS 3.1 Breakdown
| Metric | Value |
|---|---|
| Base Score | 7.8 |
| Attack Vector | Local |
| Privileges Required | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Attack Flow
- Initial Access: The attacker must already have local, authenticated access to the target system with at least low level privileges.
- Link Creation: The attacker places a crafted symbolic link or junction in a directory where the Malware Protection Engine performs file operations. The link resolves to a sensitive system resource chosen by the attacker.
- Engine Trigger: The Malware Protection Engine, running as SYSTEM, encounters the crafted link during its normal file access routines (such as scanning or quarantine operations).
- Improper Resolution: The engine follows the link without validating its target, performing the intended file operation against the attacker controlled destination.
- Privilege Escalation: Because the operation executes under the SYSTEM context, the attacker effectively gains SYSTEM level control, enabling arbitrary file manipulation, security tool bypass, and full host compromise.
Important Exploitability Condition
Microsoft has clarified that systems where Microsoft Defender is disabled are not in an exploitable state, even if vulnerability scanners detect the vulnerable engine binaries on disk. The engine must be actively running for the link following behavior to be triggered.
Affected Systems and Versions
| Component | Vulnerable Version | Remediated Version |
|---|---|---|
| Microsoft Malware Protection Engine | 1.1.26030.3008 and earlier | 1.1.26040.8 and later |
Any system running Microsoft Defender with the Malware Protection Engine at version 1.1.26030.3008 or earlier is affected. This includes Windows endpoints and servers where Defender is the active antimalware solution.
Vendor Security History
Microsoft Defender, owing to its massive deployment footprint, has been a recurring target for privilege escalation research. Microsoft's endpoint security market share grew from 25.8 percent in 2023 to 28.6 percent in 2024, making it the number one modern endpoint security product for three consecutive years according to IDC. This dominance means that any vulnerability in the Malware Protection Engine has an outsized impact across the global enterprise landscape. The Hong Kong CERT alert that covers CVE-2026-41091 also references multiple other Microsoft product vulnerabilities being exploited concurrently, underscoring the breadth of the attack surface that Microsoft products present.
References
- Microsoft Security Response Center Advisory for CVE-2026-41091
- NVD Entry for CVE-2026-41091
- CVE Record: CVE-2026-41091
- Hong Kong CERT High Threat Security Alert (A26-05-33)
- CWE-59: Improper Link Resolution Before File Access
- Microsoft Defender Antivirus Update Management
- Microsoft Ranked Number One in Modern Endpoint Security Market Share
- Help Net Security: Microsoft Patches 80+ Vulnerabilities
- PT Security: CVE-2026-41091 Advisory



