CVE-2026-45584 - Microsoft Defender Heap-based Buffer Overflow RCE

CVE-2026-45584 is a critical vulnerability affecting Microsoft Defender. This heap-based buffer overflow allows an unauthorized attacker to execute arbitrary code on a vulnerable system over a network. The vulnerability was published on May 20, 2026. Successful exploitation could lead to a complete compromise of the affected system, potentially allowing the attacker to steal sensitive data, install malware, or disrupt critical services. Defenders need to ensure Microsoft Defender is up to date to mitigate this risk.

Attack Chain

1. Attacker sends a specially crafted network packet to the targeted system.
2. Microsoft Defender processes the malicious packet.
3. The packet triggers a heap-based buffer overflow within Defender’s processing logic.
4. The overflow allows the attacker to overwrite adjacent memory regions on the heap.
5. The attacker carefully crafts the overflow data to inject malicious code into the process.
6. The injected code is designed to execute with the privileges of the Microsoft Defender service.
7. The attacker’s code executes, granting control over the system.
8. The attacker can now perform actions such as installing malware, exfiltrating data, or establishing persistence.

Impact

Successful exploitation of CVE-2026-45584 allows a remote, unauthenticated attacker to execute arbitrary code on a system running Microsoft Defender. This could lead to complete system compromise, data theft, malware installation, and denial of service. Given the widespread use of Microsoft Defender, a successful attack could have a significant impact across many organizations.

Recommendation

• Apply the security update released by Microsoft to address CVE-2026-45584 on all systems running Microsoft Defender immediately.
• Monitor network traffic for suspicious patterns indicative of exploitation attempts targeting this vulnerability.
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation activity.