Two Defender zero-days landed in CISA's KEV on May 20, with a hard remediation deadline of June 3. CVE-2026-41091 is the nastier of the pair: a local privilege-escalation to SYSTEM via the Malware Protection Engine, CVSS score not yet published but KEV inclusion says enough. CVE-2026-45498 is subtler — a DoS that blocks definition updates. That one doesn't pop a shell, but it blind-spots the engine at exactly the moment an attacker would want it quiet. Fixes shipped in Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7; both update automatically on systems that allow it. If your fleet has any machines with Defender auto-update disabled — air-gapped hosts, golden images, test environments — the June 3 deadline is now an action item, not a background note. The combination of an escalation bug and a definition-update blocker in the same release cycle is the kind of pairing that makes a real attack chain.