CVE-2026-41091

Vulnerability

CVE-2026-41091 is an improper link resolution before file access ('link following') vulnerability in Microsoft Defender. The specific affected versions have not been disclosed in the available references [1]. The issue occurs when Defender handles file access operations without properly resolving symbolic links, enabling an attacker to redirect access to a privileged file.

Exploitation

An attacker with local access and valid authorization can exploit this vulnerability by creating a symbolic link that points Defender's file operations to a sensitive system file. The exact steps are not detailed in the available references [1], but typical link-following exploits require the attacker to write a symlink to a location that the vulnerable process accesses with elevated privileges.

Impact

Successful exploitation allows the attacker to elevate privileges locally, potentially gaining access to files or resources that require higher permissions. The impact is limited to local privilege escalation, as the attacker must already have some level of authorized access on the system.

Mitigation

CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog [1], indicating active exploitation. Users should apply the vendor-provided update from Microsoft as soon as possible. No specific workarounds are mentioned in the available references.