Microsoft Defender DoS exploited in the wild (CVE-2026-45498)

Actively exploited in the wild - CVE-2026-45498 is a high-severity denial of service vulnerability in Microsoft Defender that lets any local user crash the security service without authentication. Microsoft has released patches; apply them immediately.

Overview

CVE-2026-45498 is a denial of service vulnerability in Microsoft Defender, the built-in antivirus and endpoint protection platform included with Windows operating systems. The flaw resides in the Defender core engine’s handling of malformed input files during on-access scanning.

An unauthenticated attacker with local access can exploit this vulnerability by placing a specially crafted file on a target system. When Defender’s real-time protection module scans the file, the process crashes, effectively disabling malware detection and prevention until the service is manually restarted or the system reboots.

Impact

Successful exploitation of CVE-2026-45498 allows attackers to:

• Crash the Microsoft Defender service, leaving systems unprotected against malware
• Disable real-time scanning without requiring administrative privileges
• Create a window for subsequent malware deployment or persistence mechanisms
• Bypass security controls on systems where Defender is the primary protection layer

The attack vector is local, meaning an attacker needs some level of access to the machine - but the vulnerability requires NO privileges and NO user interaction to trigger. Any user who can write a file to disk can crash Defender.

Affected Versions

All supported versions of Microsoft Defender on Windows 10, Windows 11, and Windows Server 2019/2022/2025 are potentially affected. The vulnerability was introduced in a security engine update and affects build versions prior to the latest monthly update.

Remediation

Microsoft has released an out-of-band security update for Defender’s engine to address CVE-2026-45498. The fix is distributed automatically through Windows Update and Microsoft Update for most consumer and enterprise environments. Administrators should:

1. Verify Defender engine version is updated to the latest build
2. Check Get-MpComputerStatus PowerShell output for engine version
3. Force update by running Update-MpSignature in PowerShell if auto-update is delayed
4. Restart the Microsoft Defender service if it has been previously crashed

No workarounds are available - organizations must apply the engine update.

Related Threats

This vulnerability is being exploited in conjunction with broader campaigns. For context, see Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12. The ability to disable endpoint protection without privileges aligns with tactics used by APT28 Hijacks SOHO Routers - Microsoft 365 Credentials and Storm-1175 Exploits Zero-Days to Deploy Medusa.

Security Insight

This vulnerability highlights a troubling pattern: core security products themselves becoming attack surfaces. CVE-2026-45498 is not an obscure RDP bug - it is a flaw in the software meant to protect every other application on the system. When defenders ship code that parses untrusted input before validation, they inherit the same supply-chain risks they warn customers about. Organizations should treat security agent software as high-risk infrastructure and monitor engine updates as critically as kernel patches.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs