CVE-2026-55012: Update Microsoft Defender Engine to 1.1.26060.3008

Microsoft has fixed CVE-2026-55012, a remote code execution vulnerability in the Microsoft Malware Protection Engine used by Microsoft Defender and several legacy antimalware products. The last affected engine is version 1.1.26050.11, while version 1.1.26060.3008 is the first release containing the correction.
Detailed in a Microsoft Security Response Center advisory published July 14, 2026, the vulnerability is being addressed through Defender’s normal protection-update system rather than a conventional Windows cumulative update. Microsoft says no separate installation action is required for systems receiving Malware Protection Engine updates automatically, but administrators should verify that their update infrastructure has actually delivered the fixed engine.
That distinction matters in managed environments. A device can be current on Windows patches while still running an outdated Defender engine because its WSUS approvals, Microsoft Configuration Manager deployment, network-share fallback, or security intelligence update policies are not working as intended.

Cybersecurity dashboard shows an antivirus engine update protecting healthy endpoints through a secure pipeline.The Fix Arrives Outside the Monthly Windows Package​

CVE-2026-55012 affects mpengine.dll, the Microsoft Malware Protection Engine component responsible for scanning, detection, and malware removal. On supported Windows installations, the engine underpins Microsoft Defender Antivirus and is serviced more frequently than the operating system itself.
The version boundary is the clearest way to assess exposure:
  • Microsoft Malware Protection Engine 1.1.26050.11 is the final version affected by CVE-2026-55012.
  • Microsoft Malware Protection Engine 1.1.26060.3008 is the first version in which Microsoft says the vulnerability is addressed.
  • Any later engine release should contain the fix, assuming Microsoft’s normal cumulative engine-servicing model.
Microsoft says Defender’s default configuration automatically keeps malware definitions and the engine updated. Definitions are typically updated three times per day and can be published more frequently when required, while engine updates generally arrive monthly or as needed.
The advisory also says the new engine contains defense-in-depth changes beyond the specific CVE correction. Microsoft has not characterized those additional changes in the supplied advisory, so administrators should not treat them as separate disclosed vulnerabilities.
Although the update is designed to arrive automatically, “no action required” should not be read as “no validation required.” It means there is no standalone patch that every administrator must manually download and install. Organizations remain responsible for confirming that their selected Defender update channel is healthy.

Check the Engine, Not Just the Signature Date​

Administrators can inspect the installed engine from an elevated PowerShell session:
Get-MpComputerStatus | Select-Object AMEngineVersion
The returned AMEngineVersion should be 1.1.26060.3008 or later. A broader status check can help distinguish the scanning engine from the Defender platform and security intelligence packages:
Code:
Get-MpComputerStatus | Select-Object `
    AMEngineVersion, `
    AMProductVersion, `
    AntivirusSignatureVersion, `
    AntivirusSignatureLastUpdated
These values represent different parts of Defender servicing. AMEngineVersion is the important field for CVE-2026-55012; a recent AntivirusSignatureVersion alone does not prove that the corrected engine is installed.
Microsoft’s Defender documentation says engine and platform updates normally follow a monthly cadence, while security intelligence arrives multiple times per day. Those frequent definition downloads do not necessarily include a new engine, which makes version-focused inventory particularly important for this vulnerability.
Organizations using Microsoft Defender for Endpoint can also review engine-version and update-health reporting in the Microsoft Defender portal. Microsoft’s device health documentation describes separate reporting cards for the antivirus engine, security intelligence, and Defender platform, allowing administrators to identify machines that are behind rather than relying on a general endpoint health status.
A useful enterprise query should account for devices that have stopped reporting. A dashboard showing no outdated engines can still provide false reassurance if a subset of systems is powered off, disconnected, unable to reach the reporting service, or excluded from normal management.

Disabled Defender Can Still Trigger Scanner Alerts​

Microsoft specifically addresses a likely source of confusion: vulnerability scanners may report CVE-2026-55012 on machines where Defender Antivirus is disabled.
Third-party scanners commonly identify vulnerable software by checking for a known binary and comparing its file or product version against the affected range. Disabling Defender does not necessarily remove its files from Windows, so an older copy of the Malware Protection Engine may remain on disk and satisfy the scanner’s detection rule.
Microsoft says systems where Defender is disabled are not in an exploitable state, even though the affected files remain present. That creates a difference between binary presence and operational exposure: the scanner has found vulnerable code, but the component is not active in the configuration Microsoft considers exploitable.
Administrators should avoid blindly suppressing every such detection. First confirm that Defender is genuinely disabled rather than running in active or passive mode, and document which endpoint security product has replaced it. Passive mode, periodic scanning, onboarding changes, product removal, or a future policy shift could alter whether the Defender engine is used.
Keeping the dormant engine updated is therefore still the cleaner operational outcome. It reduces scanner noise, prevents stale binaries from becoming relevant if Defender is re-enabled, and avoids relying on an exception whose validity depends on configuration remaining unchanged.
Scanner vendors may also need time to refine their detection logic. A version-only rule can accurately identify the affected binary without accurately representing exploitability, so security teams should distinguish “vulnerable file detected” from “vulnerable service active” in remediation records.

Update Infrastructure Is the Real Control Point​

The practical risk for enterprise IT lies with systems that do not receive Defender servicing directly from Microsoft Update. Microsoft supports several update sources and management paths, including Windows Update, WSUS, Microsoft Configuration Manager, network file shares, and Microsoft’s security intelligence update services.
Each introduces potential failure points. WSUS deployments may be missing approvals, Configuration Manager collections can exclude devices, file shares can contain stale packages, and restrictive network policies can block fallback sources. Devices used intermittently, including lab machines and nonpersistent virtual desktops, may also miss the normal rollout window.
Microsoft’s Defender troubleshooting guidance recommends checking the configured update-source order when security intelligence or protection updates stop arriving. In WSUS environments, administrators should verify that applicable Microsoft Defender Antivirus updates are synchronized and approved rather than assuming Windows cumulative-update approvals cover the engine.
A manual update check can be initiated with Defender’s command-line utility from the currently installed platform directory:
Update-MpSignature
Administrators can then rerun Get-MpComputerStatus to confirm whether the engine advanced to 1.1.26060.3008 or newer. If signatures update but the engine remains behind, the next step is to investigate the configured servicing source, rollout channel, and any approval or synchronization delays.
Golden images and offline installation media deserve separate attention. A patched running endpoint does not automatically make an old Windows image current. Newly provisioned devices may briefly begin life with an affected engine until their first successful protection update, particularly on isolated networks or during restricted deployment workflows.
The same review applies to products beyond the built-in Defender client. Microsoft identifies System Center Endpoint Protection, System Center 2012 Endpoint Protection, System Center 2012 R2 Endpoint Protection, and Microsoft Security Essentials as products that use the Malware Protection Engine. Some of those products belong to legacy estates where update failures may be more common and visibility less complete.
For CVE-2026-55012, the immediate administrative target is unambiguous: inventory AMEngineVersion, investigate active Defender installations below 1.1.26060.3008, and separately classify disabled installations that scanners flag because the old binaries remain on disk. The update may be automatic, but proving that it arrived is still an IT operation.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top