CVE-2026-41091, also known as RedSun, is a local elevation-of-privilege vulnerability in Microsoft Defender caused by improper link resolution before file access. Public reporting indicates that an unprivileged local attacker can place a specially crafted file so that Microsoft Defender’s Malware Protection Engine follows attacker-controlled link redirection and writes the file back into a privileged location during its scan cycle. Because the engine operates with SYSTEM privileges, the write occurs with elevated rights, enabling privilege escalation. The issue has been described as affecting Microsoft Defender and was patched by Microsoft in an out-of-band update.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
Repository contains a Windows local privilege escalation PoC for CVE-2026-41091 targeting Microsoft Defender/Microsoft Malware Protection Engine link-following behavior. Structure is simple: two C++ source files plus README/license/gitignore. The main exploit logic is in full_poc.cpp; basic_poc.cpp is a reduced educational demonstration of the core filesystem race/redirection algorithm. The exploit capability is SYSTEM privilege escalation from a low-privileged local context. The chain combines several Windows-native mechanisms: writing an EICAR test string to trigger Defender activity, monitoring \Device for HarddiskVolumeShadowCopy creation as a timing signal, acquiring batch oplocks on bait/cloud files, renaming directories during the race window, creating an NTFS junction to C:\Windows\System32, and then copying a payload into System32. The full PoC extends this with Cloud Files API (CfAPI) sync-root/placeholder operations and COM activation of the Storage Tiers Management service (CLSID 50d185b9-fff3-4656-92c7-e4018da4361d) to complete the SYSTEM execution chain. basic_poc.cpp demonstrates the algorithm only: VSS detection via NtOpenDirectoryObject/NtQueryDirectoryObject from ntdll.dll, batch oplock requests with FSCTL_REQUEST_BATCH_OPLOCK, junction creation, and payload copy into System32. full_poc.cpp is the operational version with CfAPI integration (cfapi.lib), cloud placeholder creation, sync-root handling, and service activation. No external network C2 or remote endpoints are present; this is a purely local Windows exploit. The README documents affected versions, build instructions, and the intended exploit chain. Overall, this is a real exploit repository rather than a detector, with hardcoded local behavior and a fixed escalation path, making maturity best classified as OPERATIONAL.
Small two-file repository containing a single C++ proof-of-concept skeleton and a descriptive README for CVE-2026-41091 ('RedSun'). The code is a local Windows privilege-escalation demonstration targeting Microsoft Defender link-following/remediation behavior. Repository structure is minimal: `CVE-2026-41091.cpp` contains all executable logic, while `README.md` provides vulnerability background, affected versions, mitigation guidance, and references. The exploit capability implemented in code is limited and clearly skeletal. It prints a banner, creates a temporary directory under the current user's temp path, writes a marker string to `malicious.cloud`, and attempts to create a junction object intended to point at `C:\Windows\System32`. It then pauses briefly to simulate a Defender remediation event. Comments explicitly state that the reparse buffer is incomplete and that cloud attributes/reparse handling are not actually implemented. As written, it does not perform a working privileged file write or trigger code execution; instead it models the attack chain conceptually. The intended attack path described by both code comments and README is: a low-privileged local user prepares a cloud-tagged file, abuses directory junctions/reparse points, and relies on Microsoft Defender running as SYSTEM to rewrite or restore the file into a protected location. That would yield arbitrary file write as SYSTEM and potentially enable overwriting a privileged binary such as `TieringEngineService.exe`, followed by execution/activation for full SYSTEM compromise. Because the repository lacks the real cloud-file manipulation, proper reparse-point construction, race logic, and execution trigger, this should be classified as a PoC skeleton rather than an operational exploit. No network communication, C2, remote callbacks, or external service interaction are present in the code. Fingerprintable artifacts are primarily local filesystem targets and references: `%TEMP%\RedSun_PoC`, `%TEMP%\RedSun_PoC\malicious.cloud`, `%TEMP%\RedSun_PoC\junction`, and `C:\Windows\System32`. Overall purpose: educational demonstration of a Defender local privilege escalation technique based on improper link resolution during remediation/rollback.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
127 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Another Microsoft Defender vulnerability previously disclosed by the same researcher and mentioned only for background comparison.
A previously disclosed and patched Microsoft Defender vulnerability mentioned only as background context.
A previously disclosed Microsoft vulnerability referenced as one of several zero-days published by the same researcher; no further technical details are provided in the content.
A Microsoft Defender vulnerability previously disclosed by Chaotic Eclipse and since patched by Microsoft.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.