CVE-2026-55011: Update Defender Engine to 1.1.26060.3008

Microsoft has fixed CVE-2026-55011, a remote code execution vulnerability in the Microsoft Malware Protection Engine, by updating the engine from affected version 1.1.26050.11 to version 1.1.26060.3008. Because the engine normally updates automatically alongside Microsoft Defender security intelligence, most Windows systems should receive the correction without a conventional Windows Update package or administrator-initiated installation.
Detailed in a Microsoft Security Response Center advisory published July 14, 2026, the issue affects the mpengine.dll component responsible for scanning, detecting, and cleaning malicious content. That puts the vulnerability inside a security component trusted to inspect potentially hostile files—one reason Defender engine updates deserve the same operational scrutiny as monthly Windows patches.
Administrators should verify that managed devices are running Microsoft Malware Protection Engine version 1.1.26060.3008 or later. Microsoft says version 1.1.26050.11 is the last engine release affected by CVE-2026-55011.

Cybersecurity dashboard shows an update in progress, malware removed, and protected devices connected to the cloud.The Fix Arrives Outside the Normal Windows Patch Path​

CVE-2026-55011 does not require users to download a standalone security update or install a KB package. Microsoft distributes Malware Protection Engine releases through Defender's existing update infrastructure, which is designed to deliver engine and malware-definition changes automatically.
This distinction matters during July 2026 patch validation. A machine can be fully current on cumulative Windows updates while retaining an outdated Defender engine if security intelligence distribution is broken, blocked, or intentionally redirected to an internal source that has not synchronized the latest files.
The relevant version boundary is straightforward:
  • Microsoft Malware Protection Engine 1.1.26050.11 is affected.
  • Microsoft Malware Protection Engine 1.1.26060.3008 addresses the vulnerability.
  • Any later engine version should also contain the correction, assuming Microsoft does not document an unusual regression.
Microsoft typically updates the Malware Protection Engine monthly or as necessary, while Defender security intelligence generally receives updates several times per day. The company can increase that frequency when responding to active or rapidly changing threats.
That delivery cadence is why Microsoft says no separate installation action is required. It is not, however, a reason to skip verification. The absence of a traditional installer transfers the administrator's attention from patch deployment to update-health monitoring.

Disabled Defender Can Still Trigger Scanner Findings​

One likely source of confusion is that vulnerability scanners may identify CVE-2026-55011 on systems where Microsoft Defender Antivirus has been disabled. Microsoft explains that scanners often make their determinations by locating specific binaries and comparing their version numbers against known affected releases.
Disabling Defender does not necessarily remove mpengine.dll or the surrounding Defender files from Windows. Those binaries can remain on disk, allowing inventory and vulnerability-management products to detect an affected engine version even though the engine is not actively scanning content.
According to Microsoft, a system with Defender disabled is not in an exploitable state through this vulnerability. That makes the distinction between file presence and active exposure especially important when triaging scanner output.
Security teams should avoid treating that statement as permission to suppress every finding automatically. They first need to confirm that Defender is genuinely disabled rather than merely running in passive mode, temporarily deactivated, or expected to resume operation if a third-party antivirus product is removed.
Microsoft Defender Antivirus can change operating state as endpoint-security products are installed, uninstalled, or reconfigured. A dormant vulnerable binary that later becomes active could reintroduce exposure if the engine has not been kept current in the meantime.
The cleaner operational response is therefore to update the retained Defender components where possible, then document inactive-product findings separately in the vulnerability-management platform. This reduces future ambiguity and prevents the organization from depending indefinitely on a configuration-based mitigation.

Update Health Becomes the Control That Matters​

For consumer Windows PCs with default settings and normal internet access, the update should arrive through Defender's automatic maintenance processes. Enterprise environments have more ways for that process to fail, including stale WSUS approvals, disconnected endpoint-management infrastructure, restrictive proxy rules, outdated internal shares, and devices that remain offline for long periods.
Microsoft recommends regularly confirming that distribution of Malware Protection Engine and security intelligence updates is functioning as expected. For CVE-2026-55011, that means checking the engine version itself rather than relying solely on the status of July's cumulative Windows update.
On an individual Windows device, administrators can inspect Defender status with PowerShell:
Get-MpComputerStatus | Select-Object AMEngineVersion, AntivirusEnabled, AMRunningMode
AMEngineVersion should report 1.1.26060.3008 or a later release. AntivirusEnabled and AMRunningMode help establish whether Defender is active, passive, or otherwise operating under a managed configuration.
An update can also be requested from an elevated PowerShell session:
Update-MpSignature
The command name refers to signature updates, but Defender's update mechanism can deliver the supporting platform and engine content needed by the product. Enterprises should still use their established management tooling and change controls rather than treating an interactive command as the primary fleet-wide deployment method.
Administrators investigating machines that remain on 1.1.26050.11 should examine update-source policy, network connectivity to the configured source, endpoint-management logs, Defender event logs, and the age of installed security intelligence. Multiple stale values usually indicate a broader servicing failure rather than a problem unique to this CVE.

The Affected Component Extends Beyond Windows Defender​

The vulnerable component is not limited conceptually to the Windows Security interface that users recognize as Microsoft Defender Antivirus. The Microsoft Malware Protection Engine supplies scanning and remediation capabilities to several Microsoft antimalware products.
Microsoft specifically identifies Windows Defender, Microsoft System Center Endpoint Protection, System Center 2012 Endpoint Protection, System Center 2012 R2 Endpoint Protection, and Microsoft Security Essentials as products that use the engine. Some of those products belong to legacy deployment patterns, making inventory accuracy particularly important in environments that have accumulated older management agents or endpoint-protection packages.
Microsoft says Defender runs by default on supported versions of Windows. Organizations using a different endpoint detection and response platform may nevertheless retain Microsoft antimalware components because they are included with the operating system.
The fixed engine also contains unspecified defense-in-depth improvements beyond the change directly associated with CVE-2026-55011. Microsoft has not provided technical detail in the advisory about those additional protections, so administrators should regard them as another reason to deploy the current engine rather than attempting to isolate only the CVE-specific change.
The immediate task is not to hunt for a missing KB number. It is to verify that automatic Defender servicing has moved every active installation beyond 1.1.26050.11—and to distinguish inactive binaries that merely trigger version-based scans from systems where the vulnerable engine is actually running.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top