Microsoft Defender Vulnerabilities (CVE-2026-45584, CVE-2026-45498): Heap-Based Buffer Overflow and Denial of Service

nick

Microsoft Defender Vulnerabilities (CVE-2026-45584, CVE-2026-45498): Heap-Based Buffer Overflow and Denial of Service

by

Two vulnerabilities in Microsoft Defender have been disclosed: a heap-based buffer overflow (CVE-2026-45584, CVSS 8.1) enabling unauthorised remote code execution, and a denial-of-service vulnerability (CVE-2026-45498, CVSS 4.0). Both were covered extensively in the May 22, 2026 Vulnerability Intelligence Report and had a CISA KEV remediation deadline of June 3, 2026 — now passed. The fix is delivered through the Malware Protection Engine update to version 1.1.26040.8 and the Defender Antimalware Platform update to version 4.18.26040.7.

What Are the Vulnerabilities?

CVE-2026-45584 — Heap-Based Buffer Overflow (CVSS 8.1, CWE-122): A heap-based buffer overflow in Microsoft Defender allows an unauthorised attacker to execute code over a network. Because Defender runs with SYSTEM privileges on Windows endpoints and deeply integrates with the operating system, successful exploitation could lead to full system compromise. This CVE was added to CISA KEV on May 20, 2026 with a June 3 remediation deadline.

CVE-2026-45498 — Denial of Service (CVSS 4.0, CWE-400): A denial-of-service vulnerability in Microsoft Defender’s Antimalware Platform. Exploitation could cause the Defender service to crash or become unavailable, disabling malware protection on affected endpoints. This CVE was also added to CISA KEV on May 20 with a June 3 deadline.

Together with CVE-2026-41091 (a link-following LPE also in Defender), these formed a cluster of three Defender vulnerabilities with coordinated CISA KEV deadlines — all now passed.

Which Versions Are Affected?

  • CVE-2026-45584: Malware Protection Engine versions prior to 1.1.26040.8
  • CVE-2026-45498: Defender Antimalware Platform versions prior to 4.18.26040.7

Is It Being Exploited in the Wild?

Both CVEs were added to CISA KEV on May 20, 2026 with a June 3 deadline — now two days past. CISA KEV addition confirms active exploitation. The heap-based buffer overflow (CVE-2026-45584) enabling remote code execution through the antimalware engine is particularly dangerous — it means a crafted file scanned by Defender could trigger code execution with SYSTEM privileges.

What Is the Fix?

Both fixes are delivered through Windows Update as part of the regular Defender engine and platform updates. Verify the versions:

  • Malware Protection Engine: version 1.1.26040.8 or later
  • Defender Antimalware Platform: version 4.18.26040.7 or later

Advisories: MSRC CVE-2026-45584 | MSRC CVE-2026-45498

Recommendations

Verify Defender engine and platform versions across your endpoint fleet. These updates deploy automatically through Windows Update, but verify coverage — particularly on servers, VDI environments, and air-gapped systems where update policies may differ.

References

This advisory was first covered in the May 22, 2026 report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!