CISA has added CVE‑2026‑41091 to its Known Exploited Vulnerabilities (KEV) catalogue. The affected vendor is Microsoft and the product is Defender. The vulnerability, named Microsoft Defender Link Following Vulnerability, allows an authorised attacker to elevate privileges locally.
The flaw is a link following issue within Defender that can be exploited by a user with existing local access to gain higher‑level privileges on the affected system. It is rated CVSS 7.8, which corresponds to a high severity rating. A patch is available from Microsoft via the advisory linked in the KEV note.
Because the entry appears in the KEV catalogue, active exploitation has been confirmed in the wild. No known ransomware campaign has been linked to this CVE at this time. CISA has set a remediation deadline of 26 June 2026 for federal agencies to address the issue.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations are advised to review their Defender deployments and apply the available mitigations or patches as a precaution.
For full technical details, references, and the complete KEV entry, consult the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2026-41091 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalogue.