Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file must be scanned by the engine (AV:L, UI:R), no privileges needed (PR:N), and SYSTEM-level engine execution yields full C:H/I:H/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Integer underflow (wrap or wraparound) in Microsoft Defender allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Microsoft Malware Protection Engine to scan an attacker-crafted file that triggers the integer underflow, and the CVSS mandates user interaction (UI:R) - i.e., the victim must receive/handle the malicious file (open, save, or download it) so the engine parses it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) describes a local, low-complexity attack needing no privileges but requiring user interaction, with total CIA impact - consistent with a user being lured into handling a malicious file that Defender then auto-scans. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious file (such as a specially structured archive or executable) engineered to trigger the integer underflow when parsed, and delivers it to a victim via email, download, or a shared location. When the user saves or opens the file, Microsoft Defender automatically scans it, the underflow corrupts memory in the SYSTEM-privileged engine, and attacker-controlled code executes with full host privileges. … |
| Remediation | Patch available per vendor advisory: ensure the Microsoft Malware Protection Engine updates to the fixed build referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55011. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Microsoft Defender, determine current Malware Protection Engine versions, and review endpoint security logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Def
Same weakness CWE-191 – Integer Underflow
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44029
GHSA-9gvv-f74q-gxrr