CVE-2026-45584 Overview
CVE-2026-45584 is a heap-based buffer overflow [CWE-122] in the Microsoft Malware Protection Engine, the scanning component used by Microsoft Defender. An unauthenticated attacker can trigger memory corruption over the network and execute arbitrary code in the security context of the engine. Microsoft assigned a CVSS 3.1 score of 8.1 with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network reach without authentication or user interaction, offset by high attack complexity. Because the engine scans content automatically as files arrive on a system, exploitation can occur without any user action beyond receiving a crafted file.
Critical Impact
Successful exploitation grants code execution at the privilege level of the Malware Protection Engine, which typically runs with elevated rights on Windows endpoints and servers.
Affected Products
- Microsoft Malware Protection Engine (mpengine)
- Microsoft Defender Antivirus on supported Windows client and server editions
- Any Microsoft security product bundling the affected engine version
Discovery Timeline
- 2026-05-20 - CVE-2026-45584 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-45584
Vulnerability Analysis
The flaw is a heap-based buffer overflow in the Microsoft Malware Protection Engine. The engine parses a wide variety of file formats to identify malicious content, and a parsing routine writes attacker-controlled data beyond the bounds of a heap allocation. The resulting memory corruption can be steered to overwrite adjacent heap metadata or object pointers, leading to arbitrary code execution within the engine process.
Because the engine scans inbound files automatically, an attacker only needs to deliver a malformed file to a target system. Common delivery channels include email attachments, web downloads, instant messaging, and network file shares. The engine processes the file in real time, so no user interaction is required for the vulnerable code path to execute.
The high attack complexity rating reflects conditions outside the attacker's direct control, such as bypassing heap mitigations and reliably shaping the heap during a brief scanning window. The impact remains code execution with the privileges of the scanning service.
Root Cause
The root cause is improper bounds checking on attacker-influenced length or offset fields during file format parsing. The engine allocates a heap buffer based on one calculation but writes data using a different, untrusted value, producing an out-of-bounds write on the heap.
Attack Vector
The attack vector is network-based. An attacker delivers a crafted file to a target endpoint through any channel that results in the file being scanned, including SMTP, HTTPS downloads, or SMB shares. Once the engine inspects the file, the overflow triggers and the attacker gains code execution under the engine's security context.
No verified public proof-of-concept is available at the time of writing. See the Microsoft Security Update CVE-2026-45584 advisory for vendor-specific technical details.
Detection Methods for CVE-2026-45584
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of MsMpEng.exe or MpEngine.dll correlating with scans of newly received files.
- Windows Error Reporting entries referencing the Malware Protection Engine following arrival of attachments or downloads.
- Child processes spawned by MsMpEng.exe that perform reconnaissance, credential access, or outbound network connections.
Detection Strategies
- Monitor the running Malware Protection Engine version and alert when endpoints report a version older than the Microsoft-published fixed build.
- Hunt for anomalous process lineage where MsMpEng.exe or related Defender processes spawn shells, scripting hosts, or LOLBins.
- Inspect mail and web gateways for files that trigger Defender crashes or scanning timeouts on downstream endpoints.
Monitoring Recommendations
- Centralize Defender platform and engine version telemetry to confirm patch rollout across the fleet.
- Forward Defender operational logs and process telemetry to a SIEM or data lake to correlate scan events with crash signals.
- Track outbound connections originating from Defender service processes, which should not initiate arbitrary network traffic.
How to Mitigate CVE-2026-45584
Immediate Actions Required
- Confirm the Microsoft Malware Protection Engine is updated to the fixed version listed in the Microsoft Security Update CVE-2026-45584 advisory.
- Validate that automatic engine updates are enabled and reaching all managed and unmanaged endpoints, including isolated and offline systems on reconnect.
- Audit endpoints that have not checked in recently and force a Defender platform update where required.
Patch Information
Microsoft delivers Malware Protection Engine updates automatically through the standard definition and platform update channels, typically within 48 hours of release. Administrators should verify that the deployed engine version matches or exceeds the build identified in the Microsoft advisory. Environments that block or delay Microsoft Update must apply the engine update manually or through their internal distribution mechanism.
Workarounds
- No vendor-supplied workaround replaces patching; the engine update is the supported fix.
- For systems that cannot be updated immediately, restrict inbound file delivery channels such as email attachments and external file shares until the engine is patched.
- Where Defender is not the primary anti-malware product, ensure it is disabled or replaced per Microsoft guidance to remove exposure to the vulnerable engine.
# Verify the Microsoft Malware Protection Engine version on Windows
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AntivirusSignatureVersion
# Force a Defender platform and signature update
Update-MpSignature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
