Microsoft has released emergency patches for two Windows Defender vulnerabilities that attackers are already exploiting in the wild. The first, CVE-2026-41091, is a privilege escalation flaw in the Microsoft Malware Protection Engine (versions 1.1.26030.3008 and earlier) that lets an attacker with a foothold on your PC elevate themselves to full SYSTEM-level control. The second, CVE-2026-45498, is a denial-of-service bug in the Microsoft Defender Antimalware Platform (versions 4.18.26030.3011 and earlier) that can crash the very software protecting your PC. CISA has ordered all federal agencies to apply the patches by June 3, 2026.
The good news: both patches are already rolling out through Windows’ normal automatic-update process. Microsoft says the default configuration of its antimalware software keeps definitions and the platform updated automatically, so most users are already protected — but it’s worth taking a moment to confirm your PC has actually installed the update.
How to check if you’re affected
Affected versions include Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, and Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. To check: open Windows Security → Settings (gear icon) → scroll to About and look at the “Antimalware Client Version” and “Engine Version” numbers. If they are at or above 4.18.26040.7 (platform) and 1.1.26040.8 (engine), you are protected. If not, go to Windows Update and install any pending updates, then check again.