Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498)
CVE-2026-45498 is a Denial of Service vulnerability in Microsoft Defender. Exploitation can cause Defender to crash, hang, or become unresponsive, effectively disabling endpoint protection on affected hosts. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this to disable security tooling prior to follow-on intrusion activity.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Defender
Timeline
- Disclosed
- May 20, 2026
CVSS
What is CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498)?
Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498) (CVE-2026-45498) maps to the Defense Evasion and Impact tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.
This page provides production-ready detection logic for Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Defense Evasion Impact
let timeframe = 24h;
let DefenderServiceEvents = DeviceEvents
| where Timestamp > ago(timeframe)
| where ActionType in ("ServiceStopped", "ServiceCrashed", "AntivirusDisabled")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MpCmdRun.exe", "SecurityHealthService.exe", "WinDefend.exe")
| project Timestamp, DeviceName, DeviceId, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessId, ReportId;
let DefenderHealthEvents = DeviceEvents
| where Timestamp > ago(timeframe)
| where ActionType == "AntivirusDisabled" or ActionType == "AntivirusScanFailed"
| project Timestamp, DeviceName, DeviceId, ActionType, AdditionalFields, ReportId;
let ServiceCrashEvents = DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where FileName =~ "MsMpEng.exe"
| where ActionType == "ProcessCreated"
| summarize RestartCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, DeviceId, bin(Timestamp, 1h)
| where RestartCount >= 3
| extend AlertReason = "Defender process restarted 3+ times within 1 hour";
DefenderServiceEvents
| union DefenderHealthEvents
| union (ServiceCrashEvents | project Timestamp = LastSeen, DeviceName, DeviceId, ActionType = "FrequentDefenderRestart", AlertReason)
| sort by Timestamp descDetects Microsoft Defender service crashes, unexpected disabling, and frequent restarts that may indicate exploitation of CVE-2026-45498. Monitors for Defender process anomalies, service state changes, and antivirus health events across DeviceEvents and DeviceProcessEvents tables.
Data Sources
Required Tables
False Positives
- Legitimate administrative disabling of Defender during maintenance windows
- Windows updates or patches that temporarily stop and restart Defender services
- Third-party security product installation that temporarily disables Defender
- Automated patch management tools that restart security services
- System resource exhaustion causing unrelated process crashes
Sigma rule & cross-platform mapping
The detection logic for Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498) (CVE-2026-45498) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-45498
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Defender Real-Time Protection Disable Event
Expected signal: Windows Defender Operational EventID 5001 (disabled) followed by EventID 5000 (enabled); DeviceEvents ActionType AntivirusDisabled in MDE telemetry
- Test 2Force MsMpEng Process Restart Sequence
Expected signal: System EventLog EventIDs 7036 (service state changed), 7034 (if crash simulated) for WinDefend service; multiple MsMpEng.exe process start events in DeviceProcessEvents
- Test 3Defender Configuration Tampering via Registry
Expected signal: Windows Defender Operational EventID 5007 (configuration changed); registry modification event in DeviceRegistryEvents for HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
- Test 4Generate Windows Error Reporting Artifact for MsMpEng
Expected signal: Process access event against MsMpEng.exe in DeviceEvents (ActionType OpenProcess); file creation event for .dmp file; procdump.exe process creation with MsMpEng PID as argument
Unlock Pro Content
Get the full detection package for CVE-2026-45498 including response playbook, investigation guide, and atomic red team tests.