Microsoft patches Defender zero-days exploited in live attacks

On May 21, 2026, Microsoft pushed out-of-band patches for two Windows Defender zero-days that real attacks had already confirmed. Researcher Chaotic Eclipse disclosed both vulnerabilities, publicly known as RedSun and UnDefend, without coordinated disclosure. They had no CVEs and no fixes when first released. Endpoint security firm Huntress confirmed active exploitation before the patches existed.

What the two zero-days do

The more severe of the two, CVE-2026-41091, carries a CVSS score of 7.8 and targets the Microsoft Malware Protection Engine. The flaw stems from an improper link resolution before file access, which lets a low-privileged attacker manipulate a symbolic link or directory junction during a Defender scan and escalate to full SYSTEM-level control. No elevated starting permissions are required.

The second, CVE-2026-45498, is rated CVSS 4.0 and targets the Microsoft Defender Antimalware Platform. It functions as a denial-of-service against the protection engine itself, silently blocking definition updates and degrading Defender's ability to detect new threats. The flaw affects System Center Endpoint Protection, System Center 2012 R2 and 2012 Endpoint Protection, and Security Essentials in addition to standard Defender installations. Neither vulnerability triggers a visible alert to the user or administrator during exploitation.

What the patch covers and what remains open

Both CVEs are resolved in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Microsoft delivers the fixes automatically through Defender's built-in update mechanism. Administrators should confirm their deployments are running those versions or newer, particularly in air-gapped or managed environments where automatic updates may be delayed.

CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, giving Federal Civilian Executive Branch agencies until June 3 to confirm patching. The same engine update that resolves CVE-2026-41091 also addresses a third flaw, CVE-2026-45584, a heap-based buffer overflow with a CVSS of 8.1 that allows remote code execution without user interaction. CVE-2026-45584 has not yet been confirmed exploited in the wild.

RedSun and UnDefend are the fourth and fifth zero-days released by Chaotic Eclipse over the past six weeks, all targeting Windows security components. MiniPlasma, which gives SYSTEM access on fully patched Windows 11 machines via the Cloud Filter driver, remains unpatched. For more on that disclosure and its context within the broader series, see our earlier report: