Microsoft Defender is supposed to protect Windows users from malware, but two newly patched zero-day flaws show how security software itself can become part of the attack surface.

The warning affects Windows users and administrators who rely on Microsoft Defender as their first line of defense against viruses, spyware, ransomware, and other malware. Defender is built into Windows and usually updates automatically, which makes it easy to assume that it is always protecting the system in the background.

Microsoft has now patched two Defender vulnerabilities that were reportedly being exploited in real-world attacks. One flaw could allow an attacker to gain higher privileges on a Windows machine, while the other could cause a denial-of-service condition in Defender's antimalware platform. That matters because antivirus software runs deeply inside the operating system, and when it has a serious flaw, attackers may be able to abuse the very tool that is supposed to stop the attacks in the first place.

Zero Day Exploits in the Wild

Microsoft released security updates for two Microsoft Defender vulnerabilities that were exploited as zero-days. A zero-day is a security flaw that attackers know about before a reliable patch is widely available, or before users and administrators have had enough time to protect themselves.

The first flaw is tracked as CVE-2026-41091 and affects the Microsoft Malware Protection Engine. That component helps Defender scan, detect, and clean malicious files. The issue is described as an elevation-of-privilege vulnerability, which means an attacker who already has some level of access to a system may be able to gain more powerful permissions.

The second flaw is tracked as CVE-2026-45498 and affects the Microsoft Defender Antimalware Platform. That platform includes the software components Defender uses to provide real-time protection. This flaw is described as a denial-of-service vulnerability, meaning an attacker may be able to interfere with Defender's ability to operate properly.

According to BleepingComputer, Microsoft started rolling out patches for both vulnerabilities after they were exploited in zero-day attacks, with CVE-2026-41091 affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, and CVE-2026-45498 affecting Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. (Source: bleepingcomputer.com)

Why This is Different From an Ordinary Windows Bug

Windows vulnerabilities are common. Every month, Microsoft patches flaws in Windows, Office, Edge, Azure, Exchange, and other products. Most users are used to hearing that they need to install updates.

Defender flaws feel different because Defender is not just another app. It is the security layer many users trust to catch suspicious activity. For home users, it may be the only antivirus program installed. For businesses, it may be part of a broader endpoint security strategy, especially when paired with Microsoft Defender for Endpoint and other Microsoft security services.

That creates an uncomfortable reality: the program watching for attacks can also become a target. Antivirus and endpoint protection tools often run with elevated privileges because they need deep access to files, processes, memory, scripts, and system behavior. That access is necessary for security, but it also means a vulnerability inside the security tool can have serious consequences.

This does not mean Microsoft Defender is unsafe or that users should disable it. It means Defender needs to be patched and monitored like any other critical software. Security software is not magic. It is code, and code can have bugs.

Why Attackers Care About Defender

Attackers have a strong incentive to target antivirus software. If they can disable it, bypass it, crash it, or use it to gain more power on the system, the rest of the attack becomes easier.

For example, an attacker who begins with limited access to a PC may not be able to steal everything, install persistent malware, dump credentials, or control the system fully. But if that attacker can exploit a privilege escalation flaw, the attack may move from a limited foothold to full system control.

That is why elevation-of-privilege bugs are dangerous. They are not always the first step in an attack. Instead, they are often used after the attacker has already gained some access through phishing, a malicious attachment, a stolen password, remote access abuse, or another vulnerability.

The denial-of-service issue is also important because security tools must stay available. If malware can interfere with Defender, crash part of its protection stack, or prevent normal scanning and monitoring, that can create a window where other malicious activity is harder to stop.

What Users Need To Know

For most home users, the good news is that Microsoft Defender normally updates itself automatically. That means many systems may already have the fixed versions without the user doing anything manually.

The problem is that "automatic" does not always mean "verified." Some computers are offline for long periods. Some have broken update services. Some are behind corporate policies. Some are running older images, paused updates, metered connections, or security tools that interfere with update delivery. And, some block updates using something like Windows Update Blocker (WUB) because users are afraid of updating their systems on a regular basis because Microsoft's track record for Windows Updates isn't exactly stellar.

Which Versions of Microsoft Defender are Affected?

Do not assume Defender is current. Check it.

Windows users can open Windows Security, go to Virus & threat protection, then look for protection updates and check for updates manually. Administrators should verify Defender engine and platform versions across managed devices, especially laptops, remote systems, and servers that may not check in consistently.

The last affected versions were:

• Engine: 1.1.26030.3008 and earlier
• Platform: 4.18.26030.3011 and earlier

The patched versions are:

• Microsoft Malware Protection Engine: 1.1.26040.8 or later
• Microsoft Defender Antimalware Platform: 4.18.26040.7 or later

Should You Switch To Another Antivirus?

Every antivirus product has vulnerabilities from time to time. Third-party antivirus tools also run deeply inside the operating system, inspect files and processes, and use privileged components. Replacing Defender with another product does not remove the possibility of security software having bugs.

The better question is whether your current security setup is being maintained properly. For a typical home user, Microsoft Defender plus automatic updates, a modern browser, strong passwords, passkeys where available, and caution with email attachments is usually a reasonable baseline.

For businesses, the answer depends on risk tolerance, visibility, compliance needs, and how well endpoint protection is managed. Some organizations may use Defender as part of Microsoft 365 security. Others may use third-party endpoint detection and response tools. Either way, the key issue is not the brand name. The key issue is whether the product is updated, monitored, and backed by a process that catches failures.

Conclusion

The Defender zero-days are a reminder that security software can protect users and still be vulnerable itself. That may sound contradictory, but it is a normal part of modern cybersecurity. The tools that defend Windows are powerful because they operate close to the system, and that power makes them valuable targets.

Microsoft has patched the reported Defender flaws, and many systems should receive the fixes automatically. Still, users should not blindly assume everything is current. A quick manual check is worthwhile, especially when a vulnerability is known to be exploited in the wild.

The practical message is straightforward: keep Defender updated, make sure Windows Update is working, and treat security software as something that also needs security attention. Antivirus is important, but it is not invincible. Also, last but not least: use disk image backups to backup your operating system in case a Windows Update breaks something - you can roll back the operating system as if nothing ever happened.

What's Your Opinion?

Do you trust Microsoft Defender as your main antivirus protection, or do zero-day flaws like this make you more likely to consider third-party security software?

Should users expect built-in Windows security to update silently in the background, or should Microsoft make Defender engine and platform update status easier for ordinary users to see and understand?

Have you ever found that Defender, Windows Update, or another security product was out of date without warning? Share your thoughts in the comments below.