CISA Adds Microsoft Defender DoS Flaw to KEV Catalog with June 3 Deadline
CISA has added CVE-2026-45498, a Denial of Service vulnerability in Microsoft Defender, to its Known Exploited Vulnerabilities catalog. Federal agencies must c…
On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is classified as a Denial of Service (DoS) vulnerability within the Microsoft Defender Antimalware Platform. U.S. federal agencies and their contractors now have less than two weeks to implement mandatory mitigations, even as specific technical details regarding the exploit remain shielded from the public. Corporate security teams are now left to navigate a CVE that is actively being exploited but remains technically opaque.
- CVE-2026-45498 is a DoS vulnerability in the Microsoft Defender Antimalware Platform, categorized under CWE-400 (Uncontrolled Resource Consumption).
- CISA has set a June 3, 2026, deadline for remediation under the mandates of BOD 22-01.
- The first patched version is 4.18.26040.7; affected versions begin at 4.18.26030.3011 (inclusive).
- NVD records two conflicting CVSS vectors (network and local) without clarifying the primary attack scenario or the relationship between the two.
BOD 22-01 and the CISA Countdown
The Binding Operational Directive (BOD) 22-01 requires U.S. federal agencies to remediate vulnerabilities listed in the KEV catalog within strict timeframes. For CVE-2026-45498, the compliance deadline is June 3, 2026. This is not a mere recommendation; it is a mandatory requirement for hundreds of public entities and contractors managing federal infrastructure.
CISA does not populate the KEV catalog for general information purposes. Inclusion presupposes that the vulnerability is subject to active exploitation in the wild, even if available sources do not yet specify the threat actor or campaign. This premise presents security teams with an operational dilemma: the need to act rapidly on a ubiquitous product like Microsoft Defender without a clear understanding of the primary attack vector.
Uncontrolled Resource Consumption: Analyzing CWE-400
The CWE-400 classification points to uncontrolled resource consumption—be it CPU, memory, system handles, or disk space. When these resources are exhausted, the service degrades or fails entirely. In the context of an antimalware engine, this scenario is particularly dangerous. A successful DoS attack does more than crash a secondary application; it can effectively disarm an endpoint's active protection, leaving the system vulnerable to subsequent payloads.
NVD metadata lists two CVSS 3.1 configurations with apparently conflicting vectors. The first assumes a network attack (AV:N) with a high availability impact (A:H). The second indicates a local attack (AV:L) with a low availability impact (A:L). The NVD has not resolved this duality, leaving it unclear whether these represent variants of the same flaw, distinct attack surfaces, or a recalibration of the severity score. For those relying solely on government aggregators, this limitation makes it difficult to accurately profile the risk posture.
Version Profiling: Identifying Affected Systems
The Common Platform Enumeration (CPE) in the NVD entry defines the affected perimeter with precision: versions of the Microsoft Defender Antimalware Platform from 4.18.26030.3011 (inclusive) up to 4.18.26040.7 (exclusive). Therefore, version 4.18.26040.7 is the first non-vulnerable build according to available metadata.
Microsoft Defender is distributed through multiple channels, including automatic Windows Updates, Microsoft Update, Windows Server Update Services (WSUS), and cloud pipelines for managed instances. BOD 22-01 includes a specific clause for cloud services, requiring agencies to "follow vendor instructions for mitigations" or discontinue use if mitigations are unavailable. Current sources do not detail how this clause specifically applies to Defender for Endpoint or Defender for Cloud architectures.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." — CISA KEV Required Action, CVE-2026-45498
Immediate Mitigation Strategies
For security teams managing Microsoft Defender endpoints, four actions should be prioritized:
Verify antimalware platform versions across all endpoints, paying close attention to servers and systems with deferred updates or custom WSUS policies. Build 4.18.26040.7 or higher mitigates the vulnerability according to NVD metadata.
Map government systems and federal tenants, including indirect relationships. Any organization providing services to U.S. entities subject to BOD 22-01 must document their patching status by June 3, 2026, regardless of whether their own organization is technically bound by the directive.
Monitor for anomalous resource consumption by Defender processes (MsMpEng.exe, MpCmdRun.exe, and related services). A sudden spike in CPU or memory usage could indicate an attempt to trigger the CWE-400 flaw, even without confirmation of the specific vector.
Await a comprehensive vendor advisory from Microsoft without downgrading the threat's priority. The absence of public technical details does not diminish the gravity of the KEV listing; it suggests that exploit intelligence is currently limited to CISA, the vendor, and the actors already utilizing it.
Information Gaps as a Risk Variable
Adding a vulnerability to the KEV without technical disclosure is a recurring operational choice for CISA, though it is rare for a product as widespread as Microsoft Defender. The catalog, established in 2021, prioritizes rapid remediation over complete transparency, aiming to close the exploit window rather than facilitate academic research.
For defenders, however, this approach creates friction. Security engineers cannot easily calibrate detection rules, segment networks, or train SOC teams on indicators of compromise they do not possess. The practical result is "blind patching": necessary and mandatory, but stripped of the context required to justify its priority against hundreds of other monthly CVEs. In this specific case, the dual nature of the CVSS vector compounds the uncertainty regarding the actual attack surface.
Frequently Asked Questions
Why does CISA impose a deadline without publishing exploit details?
BOD 22-01 is designed to reduce the window of federal exposure regardless of whether a public PoC or technical analysis is available. CISA typically shares sensitive details directly with vendors and, when necessary, with federal entities via non-public channels.
Does the dual CVSS vector mean the vulnerability is both remote and local?
Available sources have not resolved this ambiguity. The NVD lists both vectors without explaining if they represent distinct scenarios, variants of the same bug, or an ongoing assessment revision. It is not currently possible to determine which vector prevails based on documentation.
Are private companies and SMEs required to patch by June 3?
BOD 22-01 directly binds only U.S. federal agencies and their contractors. Private companies without government contracts have no regulatory obligation, but the KEV listing indicates active exploitation, making the update an urgent operational recommendation.