– Two Windows Defender zero-days (RedSun and UnDefend) were exploited in the wild before patches, with CVE-2026-41091 (7.8) allowing SYSTEM privilege escalation in Malware Protection Engine and CVE-2026-45498 (4.0) causing DoS in Antimalware Platform.
– Patches are available in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7; verify deployments are updated, especially in air-gapped or managed environments.
– CISA added both CVEs to the Known Exploited Vulnerabilities catalog (deadline June 3, 2026 for Federal agencies); third related flaw CVE-2026-45584 was also fixed by the same engine update but not yet widely exploited.
On May 21, 2026, Microsoft pushed out-of-band patches for two Windows Defender zero-days that real attacks had already confirmed. Researcher Chaotic Eclipse disclosed both vulnerabilities, publicly known as RedSun and UnDefend, without coordinated disclosure. They had no CVEs and no fixes when first released. Endpoint security firm Huntress confirmed active exploitation before the patches existed.
Two Windows Defender zero-days and their impact
The more severe of the two, CVE-2026-41091, carries a CVSS score of 7.8 and targets the Microsoft Malware Protection Engine. The flaw stems from an improper link resolution before file access, which lets a low-privileged attacker manipulate a symbolic link or directory junction during a Defender scan and escalate to full SYSTEM-level control. No elevated starting permissions are required.
Second vulnerability details
The second, CVE-2026-45498, is rated CVSS 4.0 and targets the Microsoft Defender Antimalware Platform. It functions as a denial-of-service against the protection engine itself, silently blocking definition updates and degrading Defender’s ability to detect new threats. The flaw affects System Center Endpoint Protection, System Center 2012 R2 and 2012 Endpoint Protection, and Security Essentials in addition to standard Defender installations. Neither vulnerability triggers a visible alert to the user or administrator during exploitation.
Resolution and deployment guidance
Both CVEs are resolved in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Microsoft delivers the fixes automatically through Defender’s built-in update mechanism. Administrators should confirm their deployments are running those versions or newer, particularly in air-gapped or managed environments where automatic updates may be delayed.
Regulatory and broader context
CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, giving Federal Civilian Executive Branch agencies until June 3 to confirm patching. The same engine update that resolves CVE-2026-41091 also addresses a third flaw, CVE-2026-45584, a heap-based buffer overflow with a CVSS of 8.1 that allows remote code execution without user interaction. CVE-2026-45584 has not yet been confirmed exploited in the wild.
Background and related disclosures
RedSun and UnDefend are the fourth and fifth zero-days released by Chaotic Eclipse over the past six weeks, all targeting Windows security components. MiniPlasma, which gives SYSTEM access on fully patched Windows 11 machines via the Cloud Filter driver, remains unpatched. For more on that disclosure and its context within the broader series, see our earlier report:
- BleepingComputer
- Security Week
- Microsoft
- nvd.nist.gov