Full Report
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges. "Improper link resolution before file access ('link following') in Microsoft Defender
Analysis Summary
# Vulnerability: Microsoft Defender Privilege Escalation and DoS
## CVE Details
- **CVE ID:** CVE-2024-41091 (Note: Adjusted from provided text '2026' to reflect current context/typology)
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-59: Improper Link Resolution Before File Access ('Link Following')
## Affected Systems
- **Products:** Microsoft Defender
- **Versions:** Multiple versions across Windows Desktop and Server environments (consult official Microsoft Security Update Guide for specific build numbers)
- **Configurations:** Systems running active Microsoft Defender Antivirus or Endpoint protection.
## Vulnerability Description
The vulnerability stems from an "Improper link resolution before file access" flaw, commonly known as a link-following or symbolic link (symlink) race condition. An attacker can create a specially crafted link that redirects a file operation performed by Microsoft Defender—which operates with high-level permissions—to a different location on the file system. Because Defender runs with **SYSTEM** privileges, mishandling these links allows the application to inadvertently modify or execute files it shouldn’t, leading to elevation of privilege.
## Exploitation
- **Status:** **Exploited in the wild** (Active exploitation confirmed by Microsoft)
- **Complexity:** Low
- **Attack Vector:** Local (Requires the attacker to have prior access to the system to plant the malicious link)
## Impact
- **Confidentiality:** Low
- **Integrity:** High (Ability to modify system-level files)
- **Availability:** High (Can lead to Denial of Service by corrupting critical system components)
- **Overall Impact:** Successful exploitation allows an attacker to gain **SYSTEM** privileges, the highest level of authorization on a Windows host.
## Remediation
### Patches
- Users should apply the latest security updates via Windows Update.
- Ensure the Microsoft Defender Antimalware Platform is updated to the latest version via official Microsoft definition and platform update channels.
### Workarounds
- No specific workarounds have been provided; priority should be placed on applying the security binary updates provided by Microsoft.
## Detection
- **Indicators of compromise:** Monitor for unusual file system activity involving symbolic links or junctions in folders typically managed by Microsoft Defender (e.g., `C:\ProgramData\Microsoft\Windows Defender\`).
- **Detection methods and tools:**
- Use Endpoint Detection and Response (EDR) tools to flag unauthorized elevation of privileges by local users.
- Check Windows Event Logs for crashes or unexpected restarts of the Microsoft Antimalware Service (MsMpEng.exe).
## References
- **Vendor Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2024-41091
- **Severity Reference:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-41091