🔴 CVE-2026-41091 — Microsoft Defender Privilege Escalation (Actively Exploited) CVE CVE-2026-41091 | CVSS 7.8 HIGH | CWE-59 | CISA KEV — Due 2026-06-03 Fixable? ✅ Yes — patch auto-deployed via Windows Defender update Business Impact A local attacker (malware, unprivileged user, or compromised service account) can escalate to SYSTEM-level privileges on any Windows endpoint or server running Microsoft Defender. Combined with initial access, this enables full machine takeover, ransomware deployment, lateral movement, and credential harvesting. Both CVE-2026-41091 and CVE-2026-45498 are confirmed actively exploited in the wild and listed on CISA’s Known Exploited Vulnerabilities catalog. How to Fix Defender updates automatically via Windows Update and Defender signature delivery. Verify your engine version is 1.1.26040.8 or later : open Windows Security → Virus & threat protection → Protection updates → Check for updates. In enterprise: validate Intune/SCCM/WSUS is distributing Defender platform updates. Target Antimalware Platform version: 4.18.26040.7+. Recommended Action URGENT — CISA mandates remediation by June 3, 2026. Immediately verify Defender engine version across all Windows endpoints. Review EDR telemetry for anomalous privilege escalation events. Isolate any endpoint showing unexpected SYSTEM-level processes originating from non-system users. Official Source Microsoft MSRC Advisory — CVE-2026-41091 | CISA KEV Catalog Software Affected Microsoft Defender (Windows Defender Antivirus / Malware Protection Engine) Affected Versions Malware Protection Engine: 1.1.26030.3008 through 1.1.26040.7 (all builds before 1.1.26040.8) | Antimalware Platform: 4.18.26030.3011 – 4.18.26040.6 | Fixed in Engine 1.1.26040.8 / Platform 4.18.26040.7 🔴 CVE-2026-45498 — Microsoft Defender Denial of Service (Actively Exploited) CVE CVE-2026-45498 | CVSS 4.0 MEDIUM (Microsoft) / 7.5 HIGH (NVD) | CWE-400 | CISA KEV — Due 2026-06-03 Fixable? ✅ Yes — patch auto-deployed via Windows Defender update Business Impact An unauthenticated local attacker can crash the Microsoft Defender service, blinding endpoint protection while other malicious activity proceeds undetected. Often deployed alongside CVE-2026-41091 as a precursor step — disabling AV/EDR is a standard ransomware pre-deployment tactic. How to Fix Same update as CVE-2026-41091 — ensure Defender engine is updated to 1.1.26040.8 or later. Both CVEs are remediated in the same update package. Recommended Action URGENT — CISA KEV applies. Verify Defender is updated. Monitor for Defender service crashes or unexpected service stops. Consider supplementary EDR layer if Defender is your primary protection. Official Source Microsoft MSRC Advisory — CVE-2026-45498 Software Affected Microsoft Defender Antimalware Platform (Windows) Affected Versions Antimalware Platform: 4.18.26030.3011 through 4.18.26040.6 | Malware Protection Engine: up to and including 1.1.26030.3008 | Fixed in Engine 1.1.26040.8 / Platform 4.18.26040.7 🟠 CVE-2026-45585 — Windows BitLocker Bypass “YellowKey” (No Patch Yet, PoC Public) CVE CVE-2026-45585 | CVSS 6.8 MEDIUM | CWE-77 | Publicly disclosed, PoC available Fixable? ⚠️ Partial — no security patch yet. Microsoft has published a PowerShell mitigation script (Remove-AutoFsTxFromWinRE.ps1). Business Impact An attacker with physical access (stolen laptop, inside threat, unattended workstation) can use a specially crafted USB drive to bypass BitLocker encryption and access full drive contents without needing the BitLocker key. This completely defeats data-at-rest protection — undermining compliance requirements such as ISO 27001, NIS2, and GDPR for lost/stolen hardware. The public PoC on GitHub significantly lowers the attack bar. How to Fix 1. Apply Microsoft’s PowerShell mitigation script Remove-AutoFsTxFromWinRE.ps1 — removes autofstx.exe from the WinRE BootExecute registry key. 2. Switch from TPM-only to TPM+PIN mode — users with TPM+PIN are NOT vulnerable. 3. Enable pre-boot PIN via Group Policy: Computer Configuration → Admin Templates → Windows Components → BitLocker → OS Drives → Require additional authentication at startup. 4. Monitor MSRC for the security patch when released. Recommended Action HIGH PRIORITY for organizations with mobile workers or laptop fleets. Apply the mitigation script immediately. Enforce TPM+PIN via Group Policy as a permanent baseline improvement. Audit BitLocker configurations across all endpoints. Official Source Microsoft MSRC Advisory — CVE-2026-45585 | Public PoC (GitHub) Software Affected Windows BitLocker / Windows Recovery Environment (WinRE) — TPM-only configurations Affected Versions Windows 11 24H2, 25H2, 26H1 (all builds, x64) | Windows Server 2025 (all builds, x64) | NOT affected: systems with BitLocker TPM+PIN pre-boot authentication 🔴 CVE-2026-42945 — NGINX Heap Buffer Overflow “NGINX Rift” (Actively Exploited, CVSS 9.2) CVE CVE-2026-42945 | CVSS 8.1 HIGH (v3.1) / 9.2 CRITICAL (v4.0) | CWE-122 | Actively exploited,...