CVE-2026-45647 Overview
CVE-2026-45647 is a time-of-check time-of-use (TOCTOU) race condition in Microsoft Defender for Endpoint. The flaw allows an authorized local attacker to elevate privileges on an affected host. Microsoft classified the issue under CWE-367, reflecting improper synchronization between a security check and the subsequent use of a resource. Successful exploitation impacts integrity on the target system, while confidentiality and availability remain unaffected per the CVSS vector. The vulnerability requires local access and low-privilege authentication, but no user interaction.
Critical Impact
An authenticated local user can win a race window in Microsoft Defender for Endpoint to escalate privileges and tamper with integrity-protected resources.
Affected Products
- Microsoft Defender for Endpoint
Discovery Timeline
- 2026-06-09 - CVE-2026-45647 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-45647
Vulnerability Analysis
The vulnerability is a TOCTOU race condition in Microsoft Defender for Endpoint. A privileged component validates a resource state, such as a file path, handle, or object attribute, and then operates on that resource later. An attacker with local access can modify the resource between the check and the use, causing the privileged operation to act on attacker-controlled data. The result is a local elevation of privilege that grants the attacker integrity impact over assets the Defender process can write to or modify. Exploitation requires winning a timing window, which is feasible on multi-core systems where the attacker can run parallel threads to flip the resource state during the narrow gap.
Root Cause
The root cause is non-atomic handling of a resource within a privileged Defender for Endpoint code path [CWE-367]. The component validates a property of the resource and then re-references it by name or by an unprotected handle, instead of operating on a securely held reference. This pattern allows an unprivileged process to swap the resource between the validation and the action.
Attack Vector
The attack vector is local. An attacker must already have a low-privilege account on the target host to schedule processes and manipulate the file system or named objects under contention. No user interaction is required. The attacker repeatedly triggers the vulnerable Defender code path while concurrently substituting the targeted resource, for example by replacing a file or redirecting a symbolic link, until the privileged operation acts on the malicious version. See the Microsoft Vulnerability Advisory CVE-2026-45647 for vendor-confirmed technical detail.
Detection Methods for CVE-2026-45647
Indicators of Compromise
- Unexpected file replacements, symbolic link creations, or junction point changes in directories accessed by Microsoft Defender for Endpoint processes such as MsSense.exe and MsMpEng.exe.
- Processes spawned by non-administrative users that repeatedly create, delete, and rename the same file or named object within short intervals.
- Defender for Endpoint service writing to or modifying files outside its normal telemetry and quarantine paths.
Detection Strategies
- Hunt for high-frequency file system events targeting the same path from a single low-privilege process, which is characteristic of TOCTOU race attempts.
- Correlate Defender for Endpoint process activity with subsequent privilege changes, token manipulations, or new local administrators on the same host.
- Alert on creation of symlinks, hard links, or object manager links by unprivileged users that resolve into paths used by security tooling.
Monitoring Recommendations
- Enable Sysmon Event IDs 1, 11, and 15 and forward to a centralized analytics platform for race-pattern detection.
- Track Microsoft Defender for Endpoint service version and build across the fleet to confirm patch deployment status.
- Review Windows Security and Application logs for repeated crashes or anomalies in Defender components, which can indicate failed exploitation attempts.
How to Mitigate CVE-2026-45647
Immediate Actions Required
- Apply the Microsoft Defender for Endpoint update referenced in the Microsoft Vulnerability Advisory CVE-2026-45647 as soon as the platform update channel delivers it.
- Verify that the Defender platform, engine, and signature versions on managed hosts match the patched build documented by Microsoft.
- Restrict interactive and remote logon rights on sensitive hosts to reduce the population of users who can attempt local exploitation.
Patch Information
Microsoft addresses CVE-2026-45647 through the Defender for Endpoint platform update channel. Refer to the Microsoft Vulnerability Advisory CVE-2026-45647 for the fixed build numbers and deployment guidance. Defender platform updates are typically delivered automatically through Microsoft Update and the cloud-managed service, but administrators should confirm rollout on disconnected or policy-restricted endpoints.
Workarounds
- No vendor-approved workaround replaces the patch. Prioritize installing the fixed Defender for Endpoint build.
- Reduce local logon and process creation rights for non-administrative users to limit attacker dwell time on at-risk hosts.
- Monitor for the detection indicators above on hosts that cannot be updated immediately, and isolate any host showing TOCTOU exploitation patterns.
# Verify Microsoft Defender for Endpoint platform and engine versions on Windows
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, NISEngineVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
