Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-41091 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-41091 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-41091 is a link following vulnerability in Microsoft Defender that enables a locally authenticated attacker to escalate privileges on the affected system.

Technical Detail

The flaw involves improper handling of symbolic links or file system junctions within Microsoft Defender, a class of vulnerability where the application follows a crafted link to access or manipulate resources outside its intended scope. An authorized local attacker can exploit this by creating a malicious link that Defender processes with elevated permissions, redirecting operations to sensitive targets. Successful exploitation results in local privilege escalation, potentially allowing the attacker to gain SYSTEM-level access or modify protected resources.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on May 20, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being used in real-world attacks, not merely as a proof of concept. Organizations should treat this as an actively weaponized vulnerability requiring immediate attention.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaigns, targeted sectors, or named groups have been associated with exploitation of this vulnerability in the available data.

What To Do

Apply the relevant Microsoft security update for Defender immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the deadline established upon its May 20, 2026 listing, typically within 14 days for KEV additions. Organizations should verify that Microsoft Defender is updated to the patched version through Windows Update, Microsoft Update Catalog, or endpoint management tooling. Given that exploitation requires local access, defenders should also audit local user privileges, review recent privilege escalation events in endpoint detection logs, and ensure least-privilege principles are enforced across managed systems. No confirmed workarounds are available as an alternative to patching.