Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.
Technical ContextAI
The vulnerability lives in the Microsoft Malware Protection Engine (mpengine), the core component used by Microsoft Defender, System Center Endpoint Protection, and related Microsoft anti-malware products to parse and scan files. The CWE-122 classification points to a heap-based buffer overflow, meaning the engine writes past the bounds of a dynamically allocated buffer - typically while parsing attacker-controlled file content during automatic scanning. Because mpengine runs with high privileges and scans content from many delivery channels (email, web downloads, SMB shares) without user action, overflow conditions in its parsers historically yield powerful remote code execution primitives. The CPE cpe:2.3:a:microsoft:microsoft_malware_protection_engine identifies the affected component as the engine itself, which is updated separately from Windows via the Defender definition/engine update channel.
RemediationAI
Patch available per vendor advisory: ensure the Microsoft Malware Protection Engine is updated to the fixed build documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584; in most deployments this update is delivered automatically through Microsoft Update or the Defender definition channel, typically within 48 hours, so verify that automatic engine updates are enabled and that managed endpoints have actually received the new engine version via Get-MpComputerStatus or the Defender admin console. Where automatic updates are disabled or air-gapped, manually distribute the updated engine through WSUS, SCCM, or Intune. As a temporary compensating control on systems that cannot be updated quickly, restrict ingress of untrusted files (block external email attachments at the gateway, disable SMB inbound, restrict web download paths) - note the trade-off that this reduces but does not eliminate exposure since Defender also scans files generated locally, and disabling real-time scanning is strongly discouraged because it removes baseline protection against unrelated threats.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31105
GHSA-f7rp-9ghh-f4gm