@blamejs/exceptd-skills 0.13.69 → 0.13.70

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.70 — 2026-05-24
+
+CVE catalog currency: adds **CVE-2026-45498**, the actively-exploited Microsoft Defender remote denial of service (CVSS 7.5 — network, unauthenticated; CISA KEV 2026-05-20, due 2026-06-03), companion to CVE-2026-41091 in the same Defender advisory. Uncontrolled resource consumption (CWE-400) lets a remote attacker crash or hang Defender, removing the host's AV/EDR coverage — a defense-impairment primitive (ATT&CK T1562.001) that enables follow-on intrusion. (Early press reported CVSS 4.0; NVD's authoritative score is 7.5.) Fixed in Defender antimalware platform 4.18.26040.7 (auto-update, no reboot). The entry carries RWEP scoring (P2, 45 via lib/scoring.js), CWE-400 and ATT&CK T1562.001/T1499 mappings, global-first framework-gap declarations, behavioral IoCs, and a zero-day lesson whose new control (NEW-CTRL-079) makes loss of AV/EDR availability a monitored security event. Postdates the catalog's prior bulk KEV intake (KEV catalog 2026.05.15).
+
 ## 0.13.69 — 2026-05-24
 
 CVE catalog currency: adds **CVE-2026-34926**, the actively-exploited Trend Micro Apex One directory traversal (CVSS 6.7; CISA KEV 2026-05-21, due 2026-06-04). A relative path traversal (CWE-23) on the on-premise management server lets an attacker who already holds server admin credentials modify a key table and inject malicious code that the server deploys to every managed agent — a fleet-wide push through the security tool's own trusted deployment channel (Scope:Changed). Fixed in Apex One on-premise 14.0.0.17079 / SaaS 14.0.20731. The entry carries RWEP scoring (P2, 52, computed via lib/scoring.js — PR:H/AC:H gate it below an unauthenticated RCE), CWE-23/22 and ATT&CK T1072/T1083 mappings, global-first framework-gap declarations, behavioral IoCs, and a zero-day lesson whose new control (NEW-CTRL-078) makes the endpoint-management deployment channel an integrity-monitored control plane. Postdates the catalog's prior bulk KEV intake (KEV catalog 2026.05.15).

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-25T06:06:07.403Z",
+  "generated_at": "2026-05-25T06:30:17.716Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "57d3b2ca1e729f2486752235575cbb98c8255f532a5dce65cdcfdb69b4447d59",
+    "manifest.json": "2ef5e043e6e1ca9519dc9bccf1df86d42b46a2244c8885a01dd88e24d60eec8b",
     "data/atlas-ttps.json": "019f12d24dc45ef8f5ae8812dec7c31a9506429a94751aaa559890a007ec6b22",
-    "data/attack-techniques.json": "b47836e9a4707ce79c35cbe58a5bdb8d0d7b8e6d94e489c17c93c465844f02ee",
-    "data/cve-catalog.json": "2bb2cda179aac7e1d8e16beeefef545eaabbb828ab1ee8fca80d285f248b15cf",
-    "data/cwe-catalog.json": "641910cd99496ed3743b4b74ecf152bd67c2cc982c4dc90b22fe204973f33cfa",
+    "data/attack-techniques.json": "c5cb0ab9d14f531a671623cad187aa92afb647626fd1170cb934e8d19ba4221d",
+    "data/cve-catalog.json": "0d8e58d0f666b47596985d86619c2cc739070e4ce644be14af100aae3fbedde7",
+    "data/cwe-catalog.json": "ab362db52eb840fec10e3b568418a6420cddc1fad1a02d3b7b34b187ffdcfba4",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "5f71b6dc8f07264de30b5fc58229e4796bae90ce696f491c661499d53d4ac5b9",
+    "data/framework-control-gaps.json": "d76aa93b18b997f783b4e615b117452020641fa546db6418ffe7fdacdff14b2b",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "ef83f6d0844eaa5b6fd7a2b12cc24d64dfdea8d269537d766cc0e1870162a9f9",
+    "data/zeroday-lessons.json": "a8283ec189cc26bab26ae942529cbce3c0fa9bea853eb8bf06a5a38e26bab41c",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 304,
+    "chains_cve_entries": 305,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 315
+      "entry_count": 316
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 315
+      "entry_count": 316
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 315,
+      "entry_count": 316,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 315,
+      "entry_count": 316,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -16757,6 +16757,260 @@
       ]
     }
   },
+  "CVE-2026-45498": {
+    "name": "Microsoft Defender Remote Denial of Service (Antimalware Platform)",
+    "rwep": 45,
+    "cvss": 7.5,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [
+      "kernel-lpe-triage",
+      "attack-surface-pentest",
+      "ot-ics-security",
+      "coordinated-vuln-disclosure",
+      "sector-energy"
+    ],
+    "chain": {
+      "cwes": [
+        {
+          "id": "CWE-1037",
+          "name": "Processor Optimization Removal or Modification of Security-critical Code",
+          "category": "Hardware / Side Channel"
+        },
+        {
+          "id": "CWE-125",
+          "name": "Out-of-bounds Read",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-1357",
+          "name": "Reliance on Insufficiently Trustworthy Component",
+          "category": "Supply Chain"
+        },
+        {
+          "id": "CWE-1395",
+          "name": "Dependency on Vulnerable Third-Party Component",
+          "category": "Supply Chain"
+        },
+        {
+          "id": "CWE-22",
+          "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
+          "category": "Path/Resource"
+        },
+        {
+          "id": "CWE-269",
+          "name": "Improper Privilege Management",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-287",
+          "name": "Improper Authentication",
+          "category": "Authentication"
+        },
+        {
+          "id": "CWE-306",
+          "name": "Missing Authentication for Critical Function",
+          "category": "Authentication"
+        },
+        {
+          "id": "CWE-352",
+          "name": "Cross-Site Request Forgery (CSRF)",
+          "category": "Session"
+        },
+        {
+          "id": "CWE-362",
+          "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
+          "category": "Concurrency"
+        },
+        {
+          "id": "CWE-416",
+          "name": "Use After Free",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-434",
+          "name": "Unrestricted Upload of File with Dangerous Type",
+          "category": "File Handling"
+        },
+        {
+          "id": "CWE-672",
+          "name": "Operation on a Resource after Expiration or Release",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-732",
+          "name": "Incorrect Permission Assignment for Critical Resource",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-78",
+          "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-787",
+          "name": "Out-of-bounds Write",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-79",
+          "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-798",
+          "name": "Use of Hard-coded Credentials",
+          "category": "Credentials"
+        },
+        {
+          "id": "CWE-89",
+          "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-918",
+          "name": "Server-Side Request Forgery (SSRF)",
+          "category": "Network"
+        }
+      ],
+      "atlas": [
+        {
+          "id": "AML.T0010",
+          "name": "ML Supply Chain Compromise",
+          "tactic": "Initial Access"
+        },
+        {
+          "id": "AML.T0043",
+          "name": "Craft Adversarial Data",
+          "tactic": "ML Attack Staging"
+        },
+        {
+          "id": "AML.T0051",
+          "name": "LLM Prompt Injection",
+          "tactic": "Execution"
+        }
+      ],
+      "d3fend": [
+        {
+          "id": "D3-ASLR",
+          "name": "Address Space Layout Randomization",
+          "tactic": "Harden"
+        },
+        {
+          "id": "D3-CSPP",
+          "name": "Client-server Payload Profiling",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-EAL",
+          "name": "Executable Allowlisting",
+          "tactic": "Harden"
+        },
+        {
+          "id": "D3-NTA",
+          "name": "Network Traffic Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-PHRA",
+          "name": "Process Hardware Resource Access",
+          "tactic": "Isolate"
+        },
+        {
+          "id": "D3-PSEP",
+          "name": "Process Segment Execution Prevention",
+          "tactic": "Harden"
+        }
+      ],
+      "framework_gaps": [
+        {
+          "id": "CIS-Controls-v8-Control7",
+          "framework": "CIS Controls v8",
+          "control_name": "Continuous Vulnerability Management"
+        },
+        {
+          "id": "IEC-62443-3-3",
+          "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
+          "control_name": "System security requirements and security levels"
+        },
+        {
+          "id": "ISO-27001-2022-A.8.8",
+          "framework": "ISO/IEC 27001:2022",
+          "control_name": "Management of technical vulnerabilities"
+        },
+        {
+          "id": "NERC-CIP-007-6-R4",
+          "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
+          "control_name": "Security event monitoring"
+        },
+        {
+          "id": "NIS2-Art21-patch-management",
+          "framework": "EU NIS2 Directive",
+          "control_name": "Vulnerability handling and disclosure"
+        },
+        {
+          "id": "NIST-800-115",
+          "framework": "NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)",
+          "control_name": "Technical Guide to Information Security Testing and Assessment"
+        },
+        {
+          "id": "NIST-800-218-SSDF",
+          "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
+          "control_name": "Secure Software Development Framework"
+        },
+        {
+          "id": "NIST-800-53-SC-8",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Transmission Confidentiality and Integrity"
+        },
+        {
+          "id": "NIST-800-53-SI-2",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Flaw Remediation"
+        },
+        {
+          "id": "NIST-800-82r3",
+          "framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
+          "control_name": "Guide to Operational Technology (OT) Security"
+        },
+        {
+          "id": "OWASP-Pen-Testing-Guide-v5",
+          "framework": "OWASP Web Security Testing Guide v5 (WSTG)",
+          "control_name": "Web application penetration testing methodology"
+        },
+        {
+          "id": "PCI-DSS-4.0-6.3.3",
+          "framework": "PCI DSS 4.0",
+          "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
+        },
+        {
+          "id": "PTES-Pre-engagement",
+          "framework": "Penetration Testing Execution Standard (PTES)",
+          "control_name": "Pre-engagement Interactions"
+        },
+        {
+          "id": "SOC2-CC9-vendor-management",
+          "framework": "SOC 2 (AICPA Trust Services Criteria)",
+          "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
+        }
+      ],
+      "attack_refs": [
+        "T0855",
+        "T0883",
+        "T1059",
+        "T1068",
+        "T1078",
+        "T1133",
+        "T1190",
+        "T1548.001"
+      ],
+      "rfc_refs": [
+        "RFC-4301",
+        "RFC-4303",
+        "RFC-7296"
+      ]
+    }
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "rwep": 77,
@@ -41796,6 +42050,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -42138,6 +42393,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083",
@@ -42276,6 +42532,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083",
@@ -42428,6 +42685,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083",
@@ -43090,6 +43348,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -43686,6 +43945,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -44263,6 +44523,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -44472,6 +44733,7 @@
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -45119,6 +45381,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -45525,6 +45788,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -45918,6 +46182,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -46155,6 +46420,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -47113,6 +47379,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -47414,6 +47681,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -47905,6 +48173,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -48214,6 +48483,7 @@
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -49130,6 +49400,7 @@
       "CVE-2026-41091",
       "CVE-2026-42208",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -49197,6 +49468,7 @@
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083"
@@ -49927,6 +50199,7 @@
       "CVE-2026-41940",
       "CVE-2026-42945",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -50167,6 +50440,7 @@
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083",

package/data/attack-techniques.json

@@ -1610,7 +1610,8 @@
       "DS0022"
     ],
     "cve_refs": [
-      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND"
+      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2026-45498"
     ],
     "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
     "description_full": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
@@ -2663,7 +2664,8 @@
     "last_verified": "2026-05-19",
     "notes": "Added v0.13.17 to support DoS-class KEV bulk imports.",
     "cve_refs": [
-      "CVE-2025-6543"
+      "CVE-2025-6543",
+      "CVE-2026-45498"
     ],
     "description_full": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
     "platforms": [

package/data/cve-catalog.json

@@ -9698,6 +9698,118 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Trend Micro Apex One on-premise contains a directory traversal that lets a pre-authenticated local attacker modify a key table to inject malicious code deployed to agents."
   },
+  "CVE-2026-45498": {
+    "name": "Microsoft Defender Remote Denial of Service (Antimalware Platform)",
+    "type": "DoS",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH) — network, no-auth, availability-only. (Some early press reported 4.0; NVD's authoritative score is 7.5.) The impact is defense impairment: remotely knocking out Microsoft Defender removes the host's AV/EDR coverage, enabling follow-on intrusion.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "cisa_kev_due_date_note": "CISA KEV (FCEB) remediation deadline for the 2026-05-20 listing; verified against the live KEV catalog (same batch as CVE-2026-41091).",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed with Microsoft 'Exploitation Detected'. No public proof-of-concept repository verified at curation time.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Microsoft's MSRC process; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft flagged 'Exploitation Detected'; CISA added the CVE to the KEV catalog on 2026-05-20 alongside CVE-2026-41091 (Defender LPE). Help Net Security and The Hacker News reported active exploitation 2026-05-21.",
+    "affected": "Microsoft Defender Antimalware Platform versions 4.18.26030.3011 through 4.18.26040.7, excluding the fixed build 4.18.26040.7.",
+    "affected_versions": [
+      "Microsoft Defender Antimalware Platform >= 4.18.26030.3011, < 4.18.26040.7"
+    ],
+    "vector": "Uncontrolled resource consumption (CWE-400) in the Microsoft Defender antimalware platform, reachable over the network without authentication, lets an attacker crash or hang Defender. Because the result is loss of AV/EDR availability, the bug is a defense-impairment primitive (ATT&CK T1562.001): an attacker can disable endpoint protection ahead of, or during, an intrusion.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — remote, unauthenticated, low-complexity. Availability-only (C:N/I:N/A:H).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Microsoft Defender antimalware-platform auto-update (platform updates apply without reboot)"
+    ],
+    "live_patch_notes": "Defender's antimalware platform auto-updates; the fixed build is 4.18.26040.7 and applies without reboot. The exposed population is environments that pin or delay platform updates — verify the deployed platform version is >= 4.18.26040.7.",
+    "vendor_update_paths": [
+      "Ensure the Microsoft Defender Antimalware Platform is updated to 4.18.26040.7 or later (auto-update is the default; confirm it is not blocked by a managed-update policy)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed actively-exploited flaw; the CISA KEV due date (2026-06-03) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor require monitoring AV/EDR availability as a control whose loss is itself a security event.",
+      "NIS2-Art21-patch-management": "Article 21 measures treat the AV/EDR as a protective control but do not require detecting when that control is remotely disabled — a precondition this DoS creates.",
+      "DORA-Art-9": "ICT protection measures assume endpoint protection is present; remote loss of that protection is outside the typical availability-monitoring narrative for security tooling.",
+      "UK-CAF-B4": "System Security objective expects remediation but does not call out resilience/availability monitoring of the endpoint-protection agent itself.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic; it does not address remote denial of the security agent as a defense-evasion enabler."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1562.001",
+      "T1499"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 45 per lib/scoring.js). KEV-listed with confirmed exploitation; blast_radius=25 — Defender is present on virtually every Windows endpoint and the DoS is remote + unauthenticated. No verified public PoC; auto-update / no-reboot remediation lowers urgency (patch_available -15, live_patch_available -10). The significance is defense impairment: a remotely-disable-able AV is an intrusion enabler.",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45498",
+    "cwe_refs": [
+      "CWE-400"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Microsoft Defender service (WinDefend / MsMpEng) crash, hang, or repeated restart loop coinciding with inbound network activity to the host.",
+        "Gaps in Defender / AMSI telemetry forwarding to the SIEM that begin abruptly and are not explained by a sanctioned update or reboot — the host going dark on AV/EDR.",
+        "Deployed Defender antimalware platform version below 4.18.26040.7 on hosts that otherwise receive auto-updates — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-45498 mechanism (CWE-400 uncontrolled resource consumption, network/no-auth, availability impact on the Defender platform) and Microsoft's advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+      "https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/",
+      "https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD (CVSS 7.5, CWE-400) + Microsoft MSRC ('Exploitation Detected') + CISA KEV (added 2026-05-20, due 2026-06-03) + Help Net Security / The Hacker News (2026-05-21). Companion to CVE-2026-41091 in the same Defender advisory. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Defender contains an uncontrolled-resource-consumption flaw allowing a remote, unauthenticated denial of service that disables endpoint protection."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",