On Wednesday, Microsoft rolled out security patches for two critical vulnerabilities in its Defender software, identified as CVE-2026-41091 and CVE-2026-45498, which are being actively exploited in cyberattacks. The first vulnerability, CVE-2026-41091, is a privilege escalation flaw in the Microsoft Malware Protection Engine, allowing attackers to gain SYSTEM privileges. The second flaw, CVE-2026-45498, affects the Microsoft Defender Antimalware Platform and can lead to denial-of-service (DoS) states on unpatched Windows devices. Microsoft has released updated versions of its Malware Protection Engine to address these issues, stating that users should not need to take additional actions to secure their systems as updates are automatically managed. However, users are encouraged to verify that their systems are updated correctly. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also mandated that federal agencies secure their Windows systems against these vulnerabilities within two weeks, highlighting the significant risks they pose. CISA has included these vulnerabilities in its Known Exploited Vulnerabilities Catalog, urging agencies to apply necessary mitigations.