ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-41091 — Microsoft Defender Elevation of Privilege via Link Following

A short review of CVE-2026-41091, a high severity link following vulnerability in Microsoft Defender's Malware Protection Engine that allows local privilege escalation to SYSTEM and is confirmed to be actively exploited in the wild.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Brief Summary: CVE-2026-41091 — Microsoft Defender Elevation of Privilege via Link Following
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An actively exploited link following flaw in the Microsoft Malware Protection Engine lets any local user with low privileges escalate to SYSTEM, turning a foothold into full host compromise without any user interaction. Given that Microsoft Defender holds the largest share of the modern endpoint security market, the sheer number of potentially affected systems makes this vulnerability particularly noteworthy for defenders and incident responders alike.

Technical Information

Root Cause

CVE-2026-41091 falls under CWE-59: Improper Link Resolution Before File Access, commonly referred to as "link following." The Microsoft Malware Protection Engine, which underpins Microsoft Defender, runs as a highly privileged SYSTEM service. When the engine performs file operations, it resolves filenames without adequately verifying whether those filenames point to symbolic links, junctions, or shortcuts that redirect to unintended resources.

This class of vulnerability is well understood in the Windows privilege escalation landscape. A low privilege user can create a symbolic link or NTFS junction in a location where the Defender engine performs file operations. Because the engine does not validate the link target before acting on it, the resulting file operation (write, delete, or permission change) is carried out with SYSTEM privileges against whatever resource the link points to.

CVSS 3.1 Breakdown

MetricValue
Base Score7.8
Attack VectorLocal
Privileges RequiredLow
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh

Attack Flow

  1. Initial Access: The attacker must already have local, authenticated access to the target system with at least low level privileges.
  2. Link Creation: The attacker places a crafted symbolic link or junction in a directory where the Malware Protection Engine performs file operations. The link resolves to a sensitive system resource chosen by the attacker.
  3. Engine Trigger: The Malware Protection Engine, running as SYSTEM, encounters the crafted link during its normal file access routines (such as scanning or quarantine operations).
  4. Improper Resolution: The engine follows the link without validating its target, performing the intended file operation against the attacker controlled destination.
  5. Privilege Escalation: Because the operation executes under the SYSTEM context, the attacker effectively gains SYSTEM level control, enabling arbitrary file manipulation, security tool bypass, and full host compromise.

Important Exploitability Condition

Microsoft has clarified that systems where Microsoft Defender is disabled are not in an exploitable state, even if vulnerability scanners detect the vulnerable engine binaries on disk. The engine must be actively running for the link following behavior to be triggered.

Affected Systems and Versions

ComponentVulnerable VersionRemediated Version
Microsoft Malware Protection Engine1.1.26030.3008 and earlier1.1.26040.8 and later

Any system running Microsoft Defender with the Malware Protection Engine at version 1.1.26030.3008 or earlier is affected. This includes Windows endpoints and servers where Defender is the active antimalware solution.

Vendor Security History

Microsoft Defender, owing to its massive deployment footprint, has been a recurring target for privilege escalation research. Microsoft's endpoint security market share grew from 25.8 percent in 2023 to 28.6 percent in 2024, making it the number one modern endpoint security product for three consecutive years according to IDC. This dominance means that any vulnerability in the Malware Protection Engine has an outsized impact across the global enterprise landscape. The Hong Kong CERT alert that covers CVE-2026-41091 also references multiple other Microsoft product vulnerabilities being exploited concurrently, underscoring the breadth of the attack surface that Microsoft products present.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization