CVE-2026-41091
Published: 20 May 2026
Summary
CVE-2026-41091 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Malware Protection Engine. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 5.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-41091 is an improper link resolution vulnerability, also described as a link-following flaw under CWE-59, that affects Microsoft Defender. The issue permits an authorized local attacker to perform unauthorized file access operations that lead to privilege escalation on the affected system, carrying a CVSS 3.1 base score of 7.8 reflecting high impact on confidentiality, integrity, and availability.
An attacker with local access and low privileges can exploit the flaw without user interaction by supplying a malicious link that Microsoft Defender follows before properly validating the target. Successful exploitation grants the attacker elevated rights on the host, enabling further actions such as installing persistent malware or accessing sensitive data.
Microsoft has published remediation guidance through its Security Response Center at the listed MSRC URL, while CISA includes the CVE in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply available mitigations. The EPSS score rose from a low baseline to a peak of 0.1210 the day after disclosure before receding to the current value of 0.0821, showing measurable post-publication exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31101
Vulnerability details
Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
- CWE(s)
- KEV Date Added
- 20 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Link-following vulnerability in a privileged process (Defender) directly enables local privilege escalation via exploitation of a software flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access validation on file paths and links before Microsoft Defender performs operations, blocking the unauthorized link-following that leads to privilege escalation.
Requires prompt application of the vendor remediation for this specific flaw in Microsoft Defender, eliminating the improper link-resolution code path.
Restricts the initial low-privileged account's rights so that even successful link-following yields minimal additional access on the host.