CVE-2026-45584 is a heap-based buffer overflow vulnerability in Microsoft Defender, specifically reported as affecting the Microsoft Malware Protection Engine version 1.26030.3008. Microsoft describes the issue as allowing an unauthorized attacker to execute code over a network. Available reporting indicates this is a remote code execution flaw in the Defender scanning/processing path, but the provided content does not identify the exact vulnerable function, parser, or code path. The vulnerability is classified as CWE-122 and carries CVSS v3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable exploitation with high attack complexity and no required privileges or user interaction.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is not a code exploit implementation but a minimal proof-of-concept/advisory package for CVE-2026-45584. It contains only two files: a tiny README naming the CVE and a detailed text report describing a crafted ZIP sample and associated crash dump. There is no source code, framework integration, shellcode, or post-exploitation payload. The described capability is a local/file-based trigger against Microsoft Defender: scanning a specially crafted ZIP archive with a near-maximum-length internal/archive path causes MsMpEng.exe to crash due to a heap out-of-bounds write in mpengine.dll, specifically in the QEX quarantine/history record parsing path identified as ParseQexResourceRecordList. The report explains that attacker-controlled record payload length is validated as a 16-bit value, while allocation sizing wraps via 16-bit truncation after header overhead is added, leading to an undersized allocation followed by a larger copy (example copy length 0xffee), producing a write AV. Repository structure is documentation-only. The main text references two external artifacts that would normally accompany the report: the crafted ZIP trigger sample and a minidump. Reproduction steps instruct the user to ensure Defender protections are enabled, extract the password-protected transport archive, locate MpCmdRun.exe under ProgramData, and scan vuln2_qex_longpath_eicar_single_layer.zip directly. The expected result is an application crash in MsMpEng.exe with faulting module mpengine.dll and exception code 0xc0000005. Because the repository lacks executable exploit code and only documents the trigger and reproduction workflow, it is best classified as a POC rather than an operational or weaponized exploit.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A heap-based buffer overflow vulnerability in Microsoft Defender that could allow remote code execution, but there is no evidence in the content of active exploitation.
A Microsoft Defender remote code execution vulnerability affecting Microsoft Malware Protection Engine v1.26030.3008.
A heap-based buffer overflow vulnerability in Microsoft Defender that allows unauthorized remote code execution over a network.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.