Microsoft released emergency fixes for two zero-day vulnerabilities in the malware protection components of Microsoft Defender. The flaws allow local attackers to gain system-level privileges or cause the anti-malware service to stop working correctly.Both conditions are valuable in a malware attack, first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.Security experts report that the two flaws are behind the RedSun and UnDefend exploits published last month on GitHub by a disgruntled researcher who calls themselves Nightmare Eclipse. While plausible, Microsoft has not mentioned those exploit names in its advisories for these two vulnerabilities.The privilege escalation flaw, CVE-2026-41091, is located in mpengine.dll, the Microsoft Malware Protection Engine (MPE) component that handles file scanning, malware detection, and cleaning in several Microsoft anti-malware products: Microsoft Defender, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection, and Microsoft Security Essentials.The vulnerability is described as an improper link resolution before file access issue. In other words, it’s related to a link- or shortcut-following routine that has unintended consequences. The flaw is rated with a CVSS score of 7.8, meaning high severity.The other vulnerability, CVE-2026-45498, is in the Microsoft Defender Antimalware Platform (MsMpEng.exe), which along with a series of kernel-mode drivers, is responsible for real-time monitoring and protection. As with MPE, this component is used by Microsoft’s other endpoint protection products.Although Microsoft issues updates for malware definitions three times per day, platform components such as mpengine.dll and MsMpEng.exe are updated only once per month or as needed.Customers are advised to manually trigger a check for updates in their respective product and check that they are running version 1.1.26040.8 or newer of the Malware Protection Engine and version 4.18.26040.7 or newer of the Microsoft Defender Antimalware Platform. The Malware Protection Engine update also fixes a remote code execution vulnerability tracked as CVE-2026-45584, but this flaw has not been publicly disclosed or exploited.