CVE-2026-45498 Overview
CVE-2026-45498 is a denial of service vulnerability in the Microsoft Defender Antimalware Platform. The flaw allows unauthenticated remote attackers to exhaust system resources on affected hosts, disrupting endpoint protection services. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The weakness is categorized under [CWE-400] uncontrolled resource consumption.
Critical Impact
Remote attackers can disable Microsoft Defender protections across enterprise endpoints without authentication or user interaction, creating coverage gaps for follow-on attacks.
Affected Products
- Microsoft Defender Antimalware Platform (all unpatched versions per vendor advisory)
- Windows endpoints relying on Microsoft Defender for real-time protection
- Server systems running Microsoft Defender Antimalware Platform
Discovery Timeline
- 2026-05-20 - CVE-2026-45498 published to the National Vulnerability Database
- 2026-05-20 - Last updated in NVD database
- 2026-05-20 - Added to CISA Known Exploited Vulnerabilities catalog
Technical Details for CVE-2026-45498
Vulnerability Analysis
The vulnerability resides within the Microsoft Defender Antimalware Platform, the engine responsible for real-time scanning and behavioral analysis on Windows systems. Attackers reach the vulnerable code path over the network without authentication or user interaction. Successful exploitation does not compromise data confidentiality or integrity, but it terminates or hangs the antimalware service.
When Defender stops responding, real-time protection, cloud-delivered protection, and behavioral analytics cease functioning. This leaves endpoints unprotected against malware that would otherwise be blocked. Attackers commonly chain DoS conditions against security tooling with secondary payloads that require an inactive endpoint defense product.
Root Cause
The weakness maps to [CWE-400] uncontrolled resource consumption. The Defender scanning engine processes attacker-supplied input without enforcing limits on memory, CPU, or processing time. Malformed or specially crafted content can drive the engine into a resource-exhaustion state. Microsoft has not published low-level technical details. See the Microsoft Security Update Guide for vendor information.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker delivers crafted content that Defender automatically inspects, such as a file written to disk, an email attachment, a web download, or content traversing a monitored share. The scan itself triggers the resource exhaustion. Because Defender inspects content automatically, no user action is required beyond standard system activity.
Detection Methods for CVE-2026-45498
Indicators of Compromise
- Unexpected termination or repeated crashes of the MsMpEng.exe process
- Microsoft Defender real-time protection transitioning to a disabled or unresponsive state without administrator action
- Sustained high CPU or memory consumption by Defender services followed by service failure
- Windows Event Log entries indicating Defender engine failures or scan timeouts
Detection Strategies
- Monitor Microsoft Defender operational event logs (Microsoft-Windows-Windows Defender/Operational) for engine errors, scan failures, and protection state changes
- Alert on Defender service stop events (Event ID 5001, 5007, 5010) occurring outside of scheduled maintenance windows
- Correlate Defender service outages with subsequent process executions, file writes, or network connections that would normally be inspected
- Track endpoints reporting stale signature update timestamps or missing telemetry to the management console
Monitoring Recommendations
- Centralize Defender health telemetry in a SIEM to detect fleet-wide protection degradation
- Apply behavioral analytics that flag the absence of expected Defender heartbeat events
- Review CISA KEV advisories regularly and prioritize alerting for cataloged vulnerabilities
- Validate that endpoint protection status dashboards reflect real-time agent state, not cached values
How to Mitigate CVE-2026-45498
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide as soon as possible
- Confirm that Microsoft Defender Antimalware Platform components are updated to the fixed version across all endpoints and servers
- Prioritize remediation on internet-facing systems and high-value assets given CISA KEV listing
- Verify Defender platform update channels are functioning and not blocked by network or policy restrictions
Patch Information
Microsoft has released updates addressing CVE-2026-45498. The Microsoft Defender Antimalware Platform typically updates automatically through Microsoft Update and the Defender platform update channel. Administrators should confirm successful deployment by checking the Antimalware Client Version and Engine Version against the fixed versions listed in the Microsoft Security Update Guide.
Workarounds
- Restrict exposure of endpoints to untrusted network sources where automatic Defender inspection would occur
- Apply network segmentation and email filtering to reduce delivery of attacker-controlled content
- Monitor Defender service health continuously and configure automated restart of failed antimalware services
- Maintain a secondary layer of behavioral endpoint protection so that a Defender outage does not eliminate all coverage
# Verify Microsoft Defender platform and engine versions on Windows
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AMServiceEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated
# Force a Defender platform signature and engine update
Update-MpSignature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
