Cyber Resilience

CVE-2026-41091

HighCISA KEVActive ExploitationEUVD Exploited

Published: 20 May 2026

Published
20 May 2026
Modified
20 May 2026
KEV Added
20 May 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0837 94.3th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-41091 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Malware Protection Engine. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 5.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41091 is an improper link resolution vulnerability, also described as a link-following flaw under CWE-59, that affects Microsoft Defender. The issue permits an authorized local attacker to perform unauthorized file access operations that lead to privilege escalation on the affected system, carrying a CVSS 3.1 base score of 7.8 reflecting high impact on confidentiality, integrity, and availability.

An attacker with local access and low privileges can exploit the flaw without user interaction by supplying a malicious link that Microsoft Defender follows before properly validating the target. Successful exploitation grants the attacker elevated rights on the host, enabling further actions such as installing persistent malware or accessing sensitive data.

Microsoft has published remediation guidance through its Security Response Center at the listed MSRC URL, while CISA includes the CVE in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply available mitigations. The EPSS score rose from a low baseline to a peak of 0.1210 the day after disclosure before receding to the current value of 0.0821, showing measurable post-publication exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CWE(s)
KEV Date Added
20 May 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Link-following vulnerability in a privileged process (Defender) directly enables local privilege escalation via exploitation of a software flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21391Same vendor: Microsoftboth on KEV
CVE-2025-60710Same vendor: Microsoftboth on KEV
CVE-2025-21418Same vendor: Microsoftboth on KEV
CVE-2025-24983Same vendor: Microsoftboth on KEV
CVE-2025-21331Same vendor: Microsoft
CVE-2025-49739Same vendor: Microsoft
CVE-2026-33825Same vendor: Microsoftboth on KEV
CVE-2025-62221Same vendor: Microsoftboth on KEV
CVE-2025-62215Same vendor: Microsoftboth on KEV
CVE-2025-21333Same vendor: Microsoftboth on KEV

Affected Assets

microsoft
malware protection engine
1.1.26030.3008 — 1.1.26040.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access validation on file paths and links before Microsoft Defender performs operations, blocking the unauthorized link-following that leads to privilege escalation.

prevent

Requires prompt application of the vendor remediation for this specific flaw in Microsoft Defender, eliminating the improper link-resolution code path.

prevent

Restricts the initial low-privileged account's rights so that even successful link-following yields minimal additional access on the host.

References