criticalCISA KEVCVE-2026-41091

Microsoft Defender Link Following Vulnerability

Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.

ProductDefender
CVSS7.8
EPSS0.08371
UpdatedJuly 9, 2026

Quick answer

Microsoft Defender should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-41091 is a Microsoft Defender link-following privilege escalation vulnerability. Update the Microsoft Malware Protection Engine across all Windows systems; NVD shows versions before 1.1.26040.8 as affected. Because this is a local privilege escalation risk, prioritize shared systems, admin workstations, servers with untrusted file handling, and machines where attackers could already have a low-privileged foothold.

  1. Inventory all systems running Microsoft Defender and collect the Malware Protection Engine version.
  2. Force Defender engine and platform updates through Windows Update, Defender for Endpoint, Intune, WSUS, or the enterprise update process.
  3. Confirm Microsoft Malware Protection Engine version 1.1.26040.8 or later is installed.
  4. Investigate endpoints that are not receiving automatic Defender updates or are running unsupported builds.
  5. Restrict local user rights and review systems where untrusted users can write files that Defender scans with elevated privileges.
  6. Review security logs for suspicious local privilege escalation, service manipulation, or unexpected Defender file operations.
  7. Keep Defender automatic updates enabled and monitor update compliance after remediation.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Run Get-MpComputerStatus or the EDR inventory query and confirm AMEngineVersion is 1.1.26040.8 or later.
  • Verify Defender services are healthy and real-time protection remains enabled after the update.
  • Confirm endpoint compliance reports show no stale engine versions.
  • Review local event logs and EDR alerts for privilege escalation indicators during the exposure window.
  • Run a Fixnx scan against public Windows-hosted services after endpoint remediation.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-41091?

Microsoft Defender should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.