CVE-2026-41091 - Microsoft Defender Link Following Vulnerability

CVE-2026-41091 is a link following vulnerability affecting Microsoft Defender. This vulnerability allows an authorized local attacker to escalate their privileges on a vulnerable system. Exploitation of this vulnerability could allow an attacker to perform actions with elevated permissions, potentially leading to system compromise. Microsoft has released mitigations to address this vulnerability, and defenders should apply them promptly. This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its importance for defenders to address.

Attack Chain

1. An attacker gains initial authorized access to a system with a vulnerable version of Microsoft Defender.
2. The attacker crafts a malicious link or file path.
3. Microsoft Defender attempts to access the crafted link.
4. Due to the link following vulnerability, Defender inadvertently accesses a resource outside of its intended scope, such as a privileged file or directory.
5. The attacker leverages this access to manipulate system settings or execute commands with elevated privileges.
6. The attacker escalates their privileges on the system.
7. The attacker gains control over the system.

Impact

Successful exploitation of CVE-2026-41091 allows an authorized local attacker to escalate privileges on a vulnerable system running Microsoft Defender. This privilege escalation could lead to unauthorized access to sensitive data, modification of system configurations, or the execution of arbitrary code with elevated permissions. If successfully exploited, an attacker can gain full control over the affected system.

Recommendation

• Apply mitigations provided by Microsoft to address CVE-2026-41091 on all systems running Microsoft Defender.
• Follow applicable BOD 22-01 guidance for cloud services utilizing Microsoft Defender.
• If mitigations are unavailable, consider discontinuing use of the product.