We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. You may change your selection by clicking “Manage Cookies” at the bottom of the page. Privacy Statement Third-Party Cookies AcceptRejectManage cookies MSRC  Customer Guidance  Security Update Guide  Vulnerabilities  CVE-2026-45584 Microsoft Defender Remote Code Execution Vulnerability NewRecently updated On this page  CVE-2026-45584  Subscribe RSS PowerShell  API  CSAF Security Vulnerability Released: May 19, 2026 Last updated: May 26, 2026 Assigning CNA Microsoft CVE.org link CVE-2026-45584  Impact Remote Code Execution Max Severity Critical Weakness CWE-122: Heap-based Buffer Overflow CVSS Source Microsoft Vector String CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Metrics CVSS:3.1 8.1 / 7.1  Base score metrics: 8.1 / Temporal score metrics: 7.1  Expand all  Collapse all Metric Value   Base score metrics(8) Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Unchanged Confidentiality High Integrity High Availability High   Temporal score metrics(3) Exploit Code Maturity Unproven Remediation Level Official Fix Report Confidence Confirmed Please see Common Vulnerability Scoring System for more information on the definition of these metrics. Executive Summary Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network. Exploitability The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly disclosed No Exploited No Exploitability assessment FAQ According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. How could an attacker exploit this vulnerability? Successful exploitation of this vulnerability would require a remote, unauthenticated attacker to entice a local user to take multiple actions that results in Defender scanning a malicious file that has been quarantined. References Identification Last version of the Microsoft Malware Protection Engine affected by this vulnerability 1.1.26030.3008 First version of the Microsoft Malware Protection Engine with this vulnerability addressed Version 1.1.26040.8 See Manage Updates Baselines Microsoft Defender Antivirus for more information. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating. Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment. How often are the Microsoft Malware Protection Engine and malware definitions updated? Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time. What is the Microsoft Malware Protection Engine? The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default? Defender runs on all supported version of Windows. Are there other products that use the Microsoft Malware Protection Engine? Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials. Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features. Acknowledgements Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information. Security Updates To determine the support lifecycle for your software, see the Microsoft Support Lifecycle. Release date Descending  Edit columns  Download  Filters  Product Family  Max Severity  Impact  Platform   Clear Release date  Product Platform Impact Max Severity Article Download Build Number Assigning CNA Loading... Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions version revisionDate description 1.1 May 26, 2026 In the Security Updates table, added links to the Release Notes. This is an informational change only. 1.0 May 19, 2026 Information published.  How satisfied are you with the MSRC Security Update Guide? Rating  Broken  Bad  Below average  Average  Great!  Your Privacy Choices Consumer Health Privacy