Executive Summary
CVE-2026-45498 is a medium-severity (CVSS 4.0) denial-of-service vulnerability in Microsoft Defender’s Antimalware Platform. Exploitation allows an attacker to craft a malicious file or payload that, when processed by Defender’s scanning engine, causes the service to enter a resource-exhaustion state or crash entirely. The consequence is a window during which real-time protection is non-functional. CISA added this to the Known Exploited Vulnerabilities catalog on May 20, 2026. A patch is available.
While the CVSS score places this in medium territory, the exploitation context — used as a stepping stone to blind endpoint defences before deploying follow-on payloads — makes it more impactful in practice than the score suggests.
Affected Versions
Vulnerable: Microsoft Defender Antimalware Platform prior to version 4.18.26040.7
To check your current platform version:
Get-MpComputerStatus | Select-Object AMProductVersionVulnerability Details
The vulnerability is an insufficient input validation flaw in Defender’s core scanning engine. When the engine processes certain crafted inputs — malformed file structures, specific byte sequences, or otherwise abnormal payloads — it fails to bound-check resource allocation, leading to one of two outcomes:
- Memory exhaustion: The scanner allocates progressively larger memory buffers processing the crafted input, eventually exhausting available memory and causing the service to become unresponsive
- Stack overflow: Certain crafted inputs trigger a stack overflow in the scanning process, causing an unhandled exception that terminates the Defender service (
MsMpEng.exe)
In either case, real-time protection is suspended until the service restarts or is manually recovered. Windows Security Center will surface a notification that protection is temporarily disabled, but the protection gap exists.
The attack does not require authentication in the traditional sense — the crafted payload simply needs to reach Defender’s scanner. This can occur via a malicious download, an email attachment, a USB-delivered file, or any other path that causes Defender to scan attacker-controlled content.
Why Medium CVSS Understates the Real Risk
DoS vulnerabilities in security software occupy a different risk category from DoS in, say, a web server. A crashed Defender service is not simply a degraded experience — it is a window of unprotected execution time. In observed exploitation, CVE-2026-45498 is being used in combination with CVE-2026-41091 and likely other techniques in multi-stage attack chains:
- Attacker delivers a crafted payload that crashes Defender (CVE-2026-45498)
- During the protection gap, attacker executes a second-stage payload that would otherwise be detected
- Second stage gains foothold; attacker escalates using CVE-2026-41091 or other means
Used this way, a “medium” DoS becomes an enabler for a critical-impact compromise. Treat this accordingly.
Patch and Remediation
Patch: Update the Microsoft Defender Antimalware Platform to version 4.18.26040.7 or later.
# Force update
Update-MpSignature -UpdateSource MicrosoftUpdateServer
# Verify platform version
Get-MpComputerStatus | Select-Object AMProductVersion, AntivirusSignatureLastUpdatedService recovery: If the vulnerability has been triggered and Defender has crashed, the service can be restarted manually:
net stop WinDefend
net start WinDefendHowever, if the initial crash was deliberate and a second-stage payload executed during the gap, service recovery does not undo the subsequent compromise.
Detection
Monitor MsMpEng.exe crash events: Event ID 1001 (Application Error) or 1000 in the Windows Application log for MsMpEng.exe is a strong indicator. An unexpected Defender service crash — particularly one coinciding with a file download or delivery event — warrants investigation.
Windows Security Center alerts: CVE-2026-45498 exploitation will generate a Windows Security notification about disabled real-time protection. In environments with Defender for Endpoint, this will surface as a device health alert.
Correlate with follow-on execution: Look for process creation events immediately following a Defender crash. If MsMpEng.exe crashes and an unusual binary executes within seconds, treat it as a likely exploitation attempt.
File analysis: The crafted payload files that trigger the crash may be identifiable after the fact. Collect and analyse files present on the system at the time of the crash. Microsoft has not released specific file signatures, but the crashing payload will be on disk unless actively removed.