Skip to main content

Microsoft Defender EUVDEUVD-2026-44029

| CVE-2026-55011 HIGH
Integer Underflow (CWE-191)
2026-07-14 microsoft GHSA-9gvv-f74q-gxrr
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file must be scanned by the engine (AV:L, UI:R), no privileges needed (PR:N), and SYSTEM-level engine execution yields full C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:58 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 7.8

DescriptionCVE.org

Integer underflow (wrap or wraparound) in Microsoft Defender allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted file to victim host
Delivery
User saves or opens file
Exploit
Defender engine auto-scans content
Execution
Integer underflow corrupts engine memory
Persist
Execute code as SYSTEM
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the Microsoft Malware Protection Engine to scan an attacker-crafted file that triggers the integer underflow, and the CVSS mandates user interaction (UI:R) - i.e., the victim must receive/handle the malicious file (open, save, or download it) so the engine parses it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) describes a local, low-complexity attack needing no privileges but requiring user interaction, with total CIA impact - consistent with a user being lured into handling a malicious file that Defender then auto-scans. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious file (such as a specially structured archive or executable) engineered to trigger the integer underflow when parsed, and delivers it to a victim via email, download, or a shared location. When the user saves or opens the file, Microsoft Defender automatically scans it, the underflow corrupts memory in the SYSTEM-privileged engine, and attacker-controlled code executes with full host privileges. …
Remediation Patch available per vendor advisory: ensure the Microsoft Malware Protection Engine updates to the fixed build referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55011. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Microsoft Defender, determine current Malware Protection Engine versions, and review endpoint security logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy