Microsoft Just Patched Two Defender Zero Days a Researcher Dropped Without Coordination—RedSun (CVE-2026-41091) Escalates a Normal User to SYSTEM, UnDefend (CVE-2026-45498) Quietly Stops Virus Definition Updates So the Antivirus Rots in Place, and CISA Gave Federal Agencies Until June 3 to Fix Both

An independent researcher who calls themselves Nightmare Eclipse published both bugs without telling Microsoft first. By the time Microsoft confirmed exploitation and released out of band patches on May 21, 2026, both were already in the wild. CISA added them to the Known Exploited Vulnerabilities catalog the same week and started a federal countdown that ends June 3.

Key Takeaways

• Microsoft patched CVE-2026-41091 (RedSun) and CVE-2026-45498 (UnDefend) on May 21, 2026, both in Microsoft Defender, both being actively exploited at the time of the fix.
• RedSun is a local privilege escalation flaw in the Malware Protection Engine that lets a low privileged user manipulate a symlink during a Defender scan and escalate to SYSTEM with a CVSS score of 7.8.
• UnDefend is a denial of service flaw in the Antimalware Platform that lets a standard user silently block Defender definition updates, slowly rotting the antivirus's ability to detect newer malware—CVSS 4.0 but practically far more dangerous.
• Researcher Nightmare Eclipse published both bugs publicly without coordinating disclosure with Microsoft, which is why the patches arrived as out of band emergency updates.
• CISA added both CVEs to its Known Exploited Vulnerabilities catalog and gave Federal Civilian Executive Branch agencies until June 3, 2026 to patch under Binding Operational Directive 22-01.

What Is CVE-2026-41091 (RedSun)?

CVE-2026-41091, nicknamed RedSun, is a local privilege escalation flaw in the Microsoft Malware Protection Engine, the core component that runs Defender's scans. It carries a CVSS 3.1 score of 7.8 (High) and is rated "Exploitation More Likely" by Microsoft.

The root cause, per Help Net Security's analysis, is improper link resolution before file access. When Defender scans a directory, it follows symbolic links and directory junctions. A low privileged user can plant a symlink that points an in flight scan operation at a target the user shouldn't normally be allowed to touch. Because the scan runs as SYSTEM, the resulting file operation also runs as SYSTEM. The attacker uses the scan engine as a confused deputy and ends up with full administrative control of the machine.

The exploit requires no elevated starting permissions. Anyone who can run code as a standard user—including, critically, a payload from an email attachment or a malicious browser extension—can chain into SYSTEM.

What Is CVE-2026-45498 (UnDefend)?

CVE-2026-45498, called UnDefend, is the quieter of the two and probably the more dangerous in the long run. Its CVSS 3.1 base score is 4.0 (Medium), which seriously undersells the operational impact. The bug is a denial of service flaw in the Microsoft Defender Antimalware Platform that lets a standard user disrupt the update mechanism that delivers fresh virus definitions to the endpoint.

In practice, an attacker who can trigger UnDefend on a machine prevents Defender from ever loading new signatures again. The antivirus keeps running. Its UI keeps reporting "Up to date." Its scans keep finishing successfully. But the underlying definition database is frozen at whatever version was installed before the attack, which means every new malware family released after that point is invisible to the endpoint. UnDefend is how you turn an endpoint into an undetectable malware host without ever tripping the "tampering with antivirus" alert that most EDR products generate when Defender is forcibly stopped.

For an enterprise relying on Defender as its primary endpoint protection, this is the bug that worries SOC teams more than RedSun. RedSun is loud—an SYSTEM token suddenly appears on a workstation. UnDefend is silent.

Who Disclosed These Bugs and Why Without Warning?

A researcher publicly known as "Nightmare Eclipse" disclosed both vulnerabilities on a personal blog last month. Coordinated disclosure to Microsoft—where the vendor gets a 90 day patch window before public release—did not happen. Microsoft confirmed both flaws were already being exploited by the time it published patches on May 21.

Independent disclosure of this kind is rare for vulnerabilities in security software, because the population of affected systems is enormous (every Windows machine running default Defender) and the time between disclosure and weaponization is short. Nightmare Eclipse's stated rationale, on their blog, is a six week dispute over how previous bug submissions were handled by Microsoft's security response process.

How Did CISA Respond?

CISA added both CVE-2026-41091 and CVE-2026-45498 to the Known Exploited Vulnerabilities catalog within days of the patch release. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies have until June 3, 2026 to install the fixes. The KEV listing is not just a federal mandate; it functions as an industry signal that exploitation is real and ongoing, and most large enterprises track KEV additions as a higher priority than vendor "Important" ratings.

Microsoft addressed both flaws in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. The fixes deploy automatically through Defender's standard update channel, which means the vast majority of consumer Windows machines have already been patched—provided their update channel still works, which is the entire point of UnDefend.

What Should You Do Right Now?

Three concrete steps:

1. Verify the patch is installed. Open PowerShell and run Get-MpComputerStatus. Confirm AMEngineVersion is 1.1.26040.8 or later and AMServiceVersion shows 4.18.26040.7 or later.
2. Confirm signatures are current. Same command, check AntivirusSignatureLastUpdated and AntispywareSignatureLastUpdated. If either timestamp is more than 48 hours old on a machine that should be receiving updates, treat that machine as suspect—it may be a UnDefend victim.
3. Force a definition update. Run Update-MpSignature. If the command fails or hangs, investigate immediately rather than rebooting and walking away.

For most home users the answer is simpler: leave automatic updates on, restart your computer, and assume the patch landed. Defender is one of the few security products where the default "do nothing" path actually works—as long as the update channel still works.

For everyone else, the lesson from this disclosure is the lesson from every Defender zero day this year: the antivirus has become a high value target in its own right. Microsoft Defender attracted three separate zero day disclosures from Nightmare Eclipse alone in May 2026, and the trend is unlikely to slow.

What This Means for Email Security

RedSun and UnDefend are local elevation bugs—they need code already running on the target machine. The most common way that code gets there is still email. A phishing email with a malicious attachment, a tracking pixel that fires the moment the email is opened, a link to an exploit kit that drops a loader: each is a way to get the initial low privileged foothold that RedSun then escalates to SYSTEM.

Cutting the email vector is the cheapest mitigation an organization can apply. Most enterprises spend more on endpoint detection than on email defenses, but the math runs the other way: an attack that never reaches the inbox never needs an endpoint product to catch it. Gblock blocks the tracking pixels that confirm a phishing email was read, so attackers can't time their follow up loader delivery and can't tune which user to target next based on who opens what.