SecuritySense
INFOthreat·

CVE-2026-41091: Microsoft Defender Link Following Vulnerability

CVE-2026-41091 is a high-severity local privilege escalation vulnerability affecting Microsoft Defender. An authorized attacker can exploit improper link resolution to gain elevated privileges on a compromised system. This vulnerability poses a significant risk to endpoint security, allowing attackers to bypass security controls and achieve SYSTEM-level access.

This report was researched and drafted by an AI agent and reviewed by a human analyst prior to publication. View the agent workflow →

Overview

CVE-2026-41091 describes a local privilege escalation vulnerability within Microsoft Defender, rated with a CVSS 3.1 score of 7.8 (HIGH). The flaw, categorized as CWE-59 (Improper Link Resolution Before File Access), allows an authorized attacker to elevate their privileges locally. This vulnerability is critical as it undermines the integrity of a core endpoint security product, enabling attackers to gain SYSTEM-level access on affected machines.

Technical Analysis

  • Vulnerability Type: Improper link resolution before file access (‘link following’).
  • Affected Product: Microsoft Defender.
  • Impact: Local Privilege Escalation (LPE), allowing an authorized attacker to gain higher privileges.
  • Attack Vector: Local (AV:L). Requires an attacker to have existing local access to the system.
  • Prerequisites: An attacker with local user-level access to the affected system.
  • CVSS 3.1 Score: 7.8 (HIGH)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Weakness Enumeration: CWE-59 (Improper Link Resolution Before File Access (‘Link Following’)).
  • Affected Versions: Specific affected versions of Microsoft Defender are not detailed in the provided information. Defenders should refer to Microsoft’s official security advisories for precise versioning.

Detection

  • Monitor for unusual file system activity, specifically the creation of symbolic links or hard links by low-privileged users in unexpected locations, potentially followed by interactions from Microsoft Defender processes.
  • Look for unexpected process creation with elevated privileges (e.g., NT AUTHORITY\SYSTEM) where the parent process is Microsoft Defender or a user-level process that interacted with Defender in an unusual manner.
  • Analyze Windows Event Logs (e.g., Security Event ID 4688 for process creation, Sysmon Event ID 1 for process creation, Event ID 11 for file creation) for anomalies related to Defender’s file access patterns or privilege changes.
  • Hunt for suspicious modifications to critical system files or registry keys by processes running with elevated privileges that cannot be attributed to legitimate system updates or administrative actions.

Mitigations

  1. Apply the security update for CVE-2026-41091 released by Microsoft as soon as it becomes available. This is the primary and most effective mitigation.
  2. Enforce the principle of least privilege across all user accounts and services to limit the potential impact of any successful local privilege escalation.
  3. Implement robust endpoint detection and response (EDR) solutions to monitor for and alert on post-exploitation activities indicative of privilege escalation or unauthorized system access.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-41091
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091

Indicators of Compromise

No public IOCs available at time of writing.

MITRE ATT&CK

  • T1574.001 — DLL
  • T1068 — Exploitation for Privilege Escalation
🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,468 input / 913 output tokens ·
Reviewed and approved by a human analyst before publication
#uncategorized