SecuritySense
INFOthreat·

CVE-2026-41091: Microsoft Defender Link Following Vulnerability

CVE-2026-41091 is a high-severity local privilege escalation vulnerability in Microsoft Defender, rated 7.8 CVSSv3.1. It stems from improper link resolution, allowing an authorized local attacker to gain elevated privileges. This vulnerability is listed in CISA’s KEV catalog, indicating active exploitation.

This report was researched and drafted by an AI agent and reviewed by a human analyst prior to publication. View the agent workflow →

Overview

CVE-2026-41091 is a local privilege escalation vulnerability affecting Microsoft Defender, specifically due to improper link resolution before file access (link following). An authorized local attacker can exploit this to elevate their privileges. This vulnerability is considered critical for defenders as it is actively exploited in the wild, as indicated by its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Technical Analysis

This vulnerability, classified as CWE-59 (Improper Link Resolution Before File Access), allows an authorized local attacker to achieve privilege escalation. The attack vector is local (AV:L), requires low privileges (PR:L), and does not require user interaction (UI:N). The core issue lies in Microsoft Defender’s handling of symbolic links or junctions, where it fails to properly resolve the target of a link before performing file operations. An attacker can craft a malicious link that, when accessed by a privileged Defender process, points to a location or file that the attacker wishes to manipulate with elevated permissions.

  • Vulnerability Type: Improper Link Resolution Before File Access (Link Following)
  • CVE ID: CVE-2026-41091
  • CVSS 3.1 Score: 7.8 (High)
  • Attack Vector: Local
  • Prerequisites: Authorized local attacker
  • Impact: High confidentiality, integrity, and availability impact (C:H/I:H/A:H)
  • Affected Products: microsoft malware_protection_engine versions greater than or equal to 1.1.26030.3008 and less than 1.1.26040.8.

Detection

Detecting the direct exploitation of a link following vulnerability within a system service like Microsoft Defender can be challenging without specific internal telemetry. However, post-exploitation activity, where the attacker leverages the newly gained elevated privileges, can be identified.

  • Process Creation Anomalies: Monitor for unusual child processes spawned by MsMpEng.exe (Microsoft Defender’s core engine) that are not typical for its operation (e.g., cmd.exe, powershell.exe, wscript.exe, cscript.exe, or other administrative tools).
  • File System Monitoring: Look for unexpected file modifications or creations in sensitive system directories or user profiles, especially if attributed to the MsMpEng.exe process.
  • Registry Monitoring: Monitor for suspicious registry key modifications, particularly those related to persistence or service configurations, initiated by MsMpEng.exe.
  • Service Configuration Changes: Look for changes to Microsoft Defender’s service configuration or related components that could indicate tampering.

Sigma Detection Rules

⚠️ AI-generated detection rules. These are experimental starting points. Review field names, EventIDs, and logic against your environment’s schema before deploying. Tune to reduce false positives.

Suspicious Process Spawn by MsMpEng.exe

title: Suspicious Process Spawn by MsMpEng.exe
id: 7e7f8e9a-b0c1-4d2e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects unusual child processes spawned by Microsoft Defender's engine (MsMpEng.exe), which could indicate post-exploitation activity after a privilege escalation vulnerability like CVE-2026-41091.
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\bitsadmin.exe'
      - '\certutil.exe'
      - '\regsvr32.exe'
      - '\rundll32.exe'
      - '\schtasks.exe'
      - '\at.exe'
  condition: selection
level: high

Mitigations

  1. Apply Security Updates: Immediately apply the latest security updates from Microsoft that address CVE-2026-41091. Ensure Microsoft Defender’s Malware Protection Engine is updated to version 1.1.26040.8 or newer.
  2. Principle of Least Privilege: Enforce the principle of least privilege for all user accounts to minimize the impact of successful local privilege escalation.
  3. Endpoint Detection and Response (EDR): Deploy and maintain EDR solutions to monitor for and alert on suspicious process activity and system changes that may indicate post-exploitation behavior.
  4. Regular Audits: Conduct regular security audits of system configurations and user permissions.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-41091
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091
  • https://ltna.com.au/cyber

Indicators of Compromise

No public IOCs available at time of writing.

MITRE ATT&CK

🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,879 input / 1,416 output tokens ·
Reviewed and approved by a human analyst before publication
#uncategorized