Description
Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
Published: 2026-05-20
Score: 7.8 High
EPSS: n/a
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper link resolution before file access in Microsoft Defender's Malware Protection Engine. It enables an authorized user to provide a crafted file path that the engine will follow and then access a file with elevated privileges, resulting in a local privilege‑escalation capability. The flaw is classified as CWE‑59, a path‑traversal or incorrect link resolution weakness.

Affected Systems

Microsoft Malware Protection Engine is the affected product. No specific version information is supplied; the resolution applies to all deployments of the product for which the linked update has been released.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is not available, so the current likelihood of exploitation is unknown. The vulnerability is listed in the CISA KEV catalog, indicating that exploitation has been observed or is anticipated. Considering the documented local trigger, an attacker would need local or administrative access to construct the malicious file link; however, any compromised account could potentially leverage the flaw to elevate privileges.

Generated by OpenCVE AI on May 20, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update for Microsoft Defender from the Microsoft Security Response Center (see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091).
  • Verify that the Defender component is configured to run with the least privilege required for its operations.
  • Restrict user accounts to the minimum set of permissions necessary for work and monitor for anomalous file access that might indicate exploitation of path resolution.

Generated by OpenCVE AI on May 20, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-20T00:00:00+00:00', 'dueDate': '2026-06-03T00:00:00+00:00'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
Title Microsoft Defender Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft malware Protection Engine
Weaknesses CWE-59
CPEs cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft malware Protection Engine
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Malware Protection Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-20T23:28:39.257Z

Reserved: 2026-04-16T19:12:36.195Z

Link: CVE-2026-41091

cve-icon Vulnrichment

Updated: 2026-05-20T17:13:03.067Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:29.173

Modified: 2026-05-20T19:06:36.850

Link: CVE-2026-41091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:36Z

Weaknesses