Skip to main content

Microsoft Defender CVE-2026-45584

| EUVDEUVD-2026-31105 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-20 microsoft GHSA-f7rp-9ghh-f4gm
8.1
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:33 vuln.today

DescriptionCVE.org

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.

Technical ContextAI

The vulnerability lives in the Microsoft Malware Protection Engine (mpengine), the core component used by Microsoft Defender, System Center Endpoint Protection, and related Microsoft anti-malware products to parse and scan files. The CWE-122 classification points to a heap-based buffer overflow, meaning the engine writes past the bounds of a dynamically allocated buffer - typically while parsing attacker-controlled file content during automatic scanning. Because mpengine runs with high privileges and scans content from many delivery channels (email, web downloads, SMB shares) without user action, overflow conditions in its parsers historically yield powerful remote code execution primitives. The CPE cpe:2.3:a:microsoft:microsoft_malware_protection_engine identifies the affected component as the engine itself, which is updated separately from Windows via the Defender definition/engine update channel.

RemediationAI

Patch available per vendor advisory: ensure the Microsoft Malware Protection Engine is updated to the fixed build documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584; in most deployments this update is delivered automatically through Microsoft Update or the Defender definition channel, typically within 48 hours, so verify that automatic engine updates are enabled and that managed endpoints have actually received the new engine version via Get-MpComputerStatus or the Defender admin console. Where automatic updates are disabled or air-gapped, manually distribute the updated engine through WSUS, SCCM, or Intune. As a temporary compensating control on systems that cannot be updated quickly, restrict ingress of untrusted files (block external email attachments at the gateway, disable SMB inbound, restrict web download paths) - note the trade-off that this reduces but does not eliminate exposure since Defender also scans files generated locally, and disabling real-time scanning is strongly discouraged because it removes baseline protection against unrelated threats.

Share

CVE-2026-45584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy