June 2026 Patch Tuesday included three Microsoft Defender vulnerabilities you need to be aware of. The most urgent is CVE-2026-41091 — a CVSS 7.8 elevation of privilege vulnerability that has already been exploited in the wild. This is a zero-day: Microsoft confirmed active exploitation before the patch was publicly released. If you have not deployed the June 2026 updates to your Defender-protected Windows devices, that needs to change today.
Zero-day: already exploited in the wild
CVE-2026-41091 was exploited before June 2026 Patch Tuesday. This is not a theoretical risk — attackers are actively using this vulnerability. Prioritise deployment of the June 2026 Defender engine update above your standard patching cadence.
The Three Defender CVEs — June 2026
| CVE | Type | CVSS | Severity | Fix | Exploited |
|---|---|---|---|---|---|
| CVE-2026-41091 | Elevation of Privilege | 7.8 | Important | Engine 1.1.26050.11 / Platform 4.18.26050.15 | YES — Zero-day |
| CVE-2026-45498 | Denial of Service | — | Important | June 2026 engine update | No |
| CVE-2026-45584 | Remote Code Execution | — | Critical | Engine 1.1.26040.8 (already shipped) | No |
CVE-2026-41091 Detail: How the Attack Works
CVE-2026-41091 is an elevation of privilege vulnerability rooted in improper file-link handling in Microsoft Defender. An attacker who already has a local user account on the target system can exploit this vulnerability to elevate their privileges to SYSTEM level or equivalent.
The attack chain:
Requires an authorized local attacker
The attacker must already have a foothold — a local user account or compromised session on the target machine. This is not a remote unauthenticated attack vector.
Exploits Defender's file-link handling
Defender processes certain file system links (symlinks, junction points, or hardlinks) in a way that allows privilege confusion. The attacker crafts a malicious file-link that causes Defender to operate on a target file with elevated privileges.
Privileges are elevated to SYSTEM
The result is local privilege escalation — a standard user account can obtain SYSTEM-level access. Combined with other vulnerabilities or malware, this turns a limited compromise into full device control.
CVE-2026-45584: Critical RCE — Already Fixed in May
CVE-2026-45584 is rated Critical and is a heap buffer overflow in the Defender scanning engine that allows remote code execution. This is the most severe of the three CVEs. The good news: it was fixed in Engine version 1.1.26040.8, which shipped before June 2026 Patch Tuesday as part of Microsoft's out-of-band engine update process.
Defender engine updates flow through Microsoft Update independently of the monthly Windows OS update. If your devices receive Defender engine updates automatically (the default for most environments), they likely already have this fix. Verify using the version check below.
How to Check Your Defender Versions
Run this in PowerShell on any Windows device to see the current Defender engine and platform versions:
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabledCheck these values against the target versions:
| Component | Minimum required version | What it patches |
|---|---|---|
| Engine (AMEngineVersion) | 1.1.26050.11 or later | CVE-2026-41091 (EoP zero-day) and CVE-2026-45498 (DoS) |
| Platform (AMProductVersion) | 4.18.26050.15 or later | June 2026 platform security fixes |
| Engine (CVE-2026-45584 RCE fix) | 1.1.26040.8 or later | CVE-2026-45584 (Critical RCE heap buffer overflow) |
For fleet-wide visibility via Defender advanced hunting:
DeviceTvmSoftwareInventory
| where SoftwareName == "windows_defender"
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, SoftwareVersion, OSPlatform
| where SoftwareVersion < "1.1.26050.11"
| order by DeviceName ascJune 2026 Patch Tuesday at a Glance
The Defender CVEs sit within a large June 2026 Patch Tuesday. Context for the broader update:
208
Total fixes this Patch Tuesday
38
Rated Critical
3
Microsoft Defender CVEs
Admin Action Checklist
- Immediately: Run
Get-MpComputerStatuson representative devices. Confirm engine version is 1.1.26050.11 or later and platform is 4.18.26050.15 or later - Fleet-wide: Use the advanced hunting query above to identify all devices running an engine version below 1.1.26050.11
- If using Microsoft Update / Windows Update for Business: Devices should already be receiving the updated engine automatically — verify via device inventory
- If using manual Defender updates: Download and deploy the June 2026 engine update package from the Microsoft Update Catalog immediately
- Zero-day context: If you have any indication of compromise on devices in your estate, prioritise those devices for immediate engine update and investigate using Defender for Endpoint live response
- RCE fix verification: Confirm engine version is at least 1.1.26040.8 to ensure the Critical CVE-2026-45584 RCE vulnerability is also patched