Microsoft Defender Heap Buffer Overflow Allows Remote Code Execution
The National Vulnerability Database has disclosed CVE-2026-45584, a high-severity heap-based buffer overflow affecting Microsoft Defender. This critical flaw allows an unauthenticated, unauthorized attacker to execute arbitrary code over a network without user interaction. The CVSS score for this vulnerability is 8.1 (High), with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
This is a serious issue. A network-based attack vector with no authentication or user interaction required means the attack surface is vast. While the attack complexity is rated ‘High’, this likely refers to the technical sophistication needed to craft the exploit, not the difficulty for a determined attacker. Given that Microsoft Defender is ubiquitous, the potential impact is widespread across virtually all Windows environments.
Defenders need to treat this as a top priority. A successful exploit could lead to full system compromise, enabling lateral movement and data exfiltration. The attacker’s calculus here is straightforward: Defender is installed everywhere, and a reliable exploit grants a foothold into countless organizations. Patching isn’t enough; organizations must also assume potential compromise and hunt for post-exploitation activity.
What This Means For You
- If your organization relies on Microsoft Defender, you must prioritize patching for CVE-2026-45584 immediately. This is not a theoretical threat; a remote, unauthenticated RCE in an endpoint protection solution is a nightmare scenario. After patching, actively hunt for any signs of exploitation, as this vulnerability allows a deep foothold.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45584 - Microsoft Defender Heap Buffer Overflow - Initial Access
title: CVE-2026-45584 - Microsoft Defender Heap Buffer Overflow - Initial Access
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
This rule detects the execution of Microsoft Defender command-line utilities with specific parameters that could be leveraged by an attacker to trigger the heap buffer overflow vulnerability (CVE-2026-45584) for remote code execution. The vulnerability allows an unauthorized attacker to execute code over a network by exploiting a heap-based buffer overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45584/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files\Windows Defender\MpCmdRun.exe'
CommandLine|contains:
- '-RemoveDefenderSignatures'
- '-SignatureUpdate'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45584 | Vulnerability | CVE-2026-45584 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...