ZeroPath at Black Hat USA 2026

Brief Summary: Microsoft Defender RCE via Heap Buffer Overflow (CVE-2026-45584)

A short review of CVE-2026-45584, a heap-based buffer overflow in the Microsoft Malware Protection Engine that enables remote code execution. Includes technical details, patch information, and threat intelligence context.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Brief Summary: Microsoft Defender RCE via Heap Buffer Overflow (CVE-2026-45584)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap-based buffer overflow in the Microsoft Malware Protection Engine now gives remote attackers a path to code execution on virtually every Windows system running Microsoft Defender. Because Defender ships enabled by default across all supported versions of Windows, CVE-2026-45584 represents a vulnerability with an unusually broad blast radius, touching enterprise endpoints, servers, and consumer machines alike.

Technical Information

Root Cause

The vulnerability resides in mpengine.dll, the core scanning, detection, and cleaning library shared across Microsoft Defender, System Center Endpoint Protection, and Microsoft Security Essentials. It is classified as CWE-122 (Heap-based Buffer Overflow), meaning the flaw involves writing data beyond the bounds of a heap-allocated buffer during file scanning operations within the engine.

CVSS Metrics

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
MetricValueDescription
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)HighRequires enticing a user to trigger a scan on a quarantined malicious file
Privileges Required (PR)NoneNo prior authentication or privileges needed
User Interaction (UI)NoneScored as None at the base metric level, though complexity notes user actions are required to prepare the environment
Confidentiality (C)HighTotal loss of information confidentiality
Integrity (I)HighTotal compromise of system integrity
Availability (A)HighTotal loss of resource availability

The base score of 8.1 reflects the tension between the severe impact (High across all three CIA dimensions) and the elevated attack complexity.

Attack Flow

Based on the MSRC advisory, the exploitation sequence proceeds as follows:

  1. Delivery: The attacker delivers a specially crafted malicious file to the target system over the network. This could arrive via email, a web download, a file share, or any other network delivery mechanism that places a file on the target.

  2. Quarantine: Microsoft Defender detects the file as suspicious and quarantines it. At this stage, the vulnerability has not yet been triggered.

  3. User Interaction: The attacker must entice the local user into performing multiple actions that cause Defender to re-scan the quarantined file. The specific user actions required are not detailed in the advisory, but this step is what drives the High attack complexity rating.

  4. Trigger: When the Malware Protection Engine (mpengine.dll) processes the crafted file from quarantine, the heap-based buffer overflow is triggered. The overflow corrupts heap memory in a way that allows the attacker to redirect execution flow.

  5. Code Execution: The attacker achieves arbitrary code execution in the context of the engine process, with full impact on confidentiality, integrity, and availability of the host system.

The fact that exploitation requires the file to first be quarantined and then re-scanned through user interaction is a meaningful barrier. However, social engineering techniques and targeted phishing campaigns can reliably overcome this hurdle in practice, particularly in enterprise environments.

Patch Information

Microsoft released an official fix on May 19, 2026, delivered through the standard Microsoft Malware Protection Engine update pipeline. The MSRC advisory specifies exact versioning boundaries:

ComponentVulnerable VersionFixed Version
Microsoft Malware Protection Engine1.1.26030.3008 and prior1.1.26040.8

The Remediation Level in the CVSS temporal metrics is set to Official Fix (RL:O), confirming this is a complete vendor solution rather than a workaround or interim hotfix.

Automatic Updates

In most environments, no manual action is required. Microsoft Defender is configured by default to automatically pull engine and security intelligence updates multiple times per day. The engine update ships bundled with security intelligence updates under:

  • KB2267602 (for Microsoft Defender)
  • KB2461484 (for System Center Endpoint Protection)

Environments with functioning automatic updates would have received the patched engine version shortly after release.

Manual and Enterprise Distribution

For enterprise environments where automatic updates are gated or delayed, administrators can distribute the patched engine through WSUS, Microsoft Configuration Manager (SCCM/MECM), Intune, or a UNC file share. A manual update can also be forced on individual hosts:

MpCmdRun.exe -SignatureUpdate

This forces a signature and engine pull, bringing the engine to version 1.1.26040.8 or later.

Verification

To confirm your engine version, administrators can check the "Engine Version" field in the Windows Security app under Virus & threat protection > Protection updates, or query through PowerShell:

Get-MpComputerStatus | Select-Object AMEngineVersion

A Note on False Positives from Scanners

Systems where Microsoft Defender is disabled may still appear vulnerable in third-party vulnerability scanner reports. This happens because scanners detect the mpengine.dll binary on disk and flag its version number. Microsoft clarifies that disabled Defender installations are not in an exploitable state, since exploitation requires Defender to actively scan a specially crafted malicious file from quarantine.

Affected Systems and Versions

The vulnerability affects all systems running the Microsoft Malware Protection Engine at version 1.1.26030.3008 or earlier. Specific affected products and platforms include:

  • Windows 11 (versions 24H2, 25H2, 26H1 for x64)
  • Windows Server 2025
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials

Any product or platform that relies on mpengine.dll for scanning is within the scope of this vulnerability.

Vendor Security History

Microsoft has been recognized as a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms for six consecutive years as of 2025. Microsoft Defender XDR achieved 100% protection coverage in MITRE Engenuity ATT&CK evaluations, and the company holds Leader positions in four Forrester Wave categories. Despite this strong industry standing, the discovery of a critical remote code execution vulnerability in the default Windows antimalware engine underscores the persistent challenge of securing complex, widely deployed software. The fact that three related vulnerabilities disclosed in the same patch cycle (CVE-2026-41091, CVE-2026-45498, CVE-2026-45585) are already being exploited in the wild further illustrates the ongoing pressure on Microsoft's security response capabilities.

Threat Intelligence

The exploit code maturity for CVE-2026-45584 is currently listed as Unproven by Microsoft. No functional public exploit has been documented.

However, the threat context around this disclosure warrants attention. GovCERT.HK issued a High Threat Security Alert noting that multiple vulnerabilities patched in the same cycle, specifically CVE-2026-41091, CVE-2026-45498, and CVE-2026-45585, are already being exploited in the wild. Because CVE-2026-45584 was disclosed alongside these and affects similar components, the probability of threat actors reverse-engineering the patch to develop working exploits is elevated.

The provided intelligence does not attribute the active exploitation of the related CVEs to specific threat actors or APT groups. CVE-2026-45584 is not currently listed in the CISA Known Exploited Vulnerabilities catalog, though CISA has been actively adding vulnerabilities throughout April and May 2026. Organizations should monitor threat feeds and the CISA KEV catalog for any status changes.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization