Microsoft has released security updates for a Defender vulnerability known as RoguePlanet, nearly a month after details of the flaw became public.
The vulnerability, tracked as CVE-2026-50656 (CVSS score: 7.8), is a privilege escalation issue in the Microsoft Malware Protection Engine (“mpengine.dll”), which provides scanning, detection, and cleaning capabilities for its antivirus and antispyware software.
The issue has been remediated in Microsoft Malware Protection Engine version 1.1.26060.3008, along with defense-in-depth updates to harden unspecified security-related features.
RoguePlanet was first disclosed by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse), describing it as a race condition that could be abused to spawn a shell with SYSTEM-level privileges. This, in turn, grants the attacker the ability to run arbitrary code or perform unauthorized actions.
The exploit has been found to work on systems running up-to-date versions of Windows with the June 2026 Patch Tuesday updates installed. Subsequently, Chaotic Eclipse also revealed that the exploit works regardless of whether real-time protection is on or not. Microsoft has not officially credited Chaotic Eclipse with the vulnerability discovery.
RoguePlanet is the fourth Defender vulnerability disclosed by the researcher after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft.
The Windows maker said no customer action is required to install the update for CVE-2026-50656, as the software is frequently updated to secure customers against new and evolving threats.
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” Microsoft said.
“Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.”
Update
In a post shared on their website, researcher Chaotic Eclipse said the newly introduced “defense-in-depth updates” can cause Microsoft Defender to leak 8 bytes of data when attempting to open a file in certain scenarios.
“I’m still trying to find a way to obtain the leaked bytes as a standard user but for now it only leaks data to drivers,” the researcher said. “Now one thing I noticed with Windows Defender is the fact that it is very careful when handling file sizes, there is [sic] hard limits on how big the file can be when scanning and quarantining files.”
“This implementation make [sic] sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space. I found a small exception to this rule, apparently the SpyNet functions in ‘mpengine.dll’ really wants to keep a local copy of Zone.Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways.”
A Zone.Identifier file is a hidden metadata tag, known as Alternate Data Stream (ADS), that’s used by Windows to track the origin of a file downloaded from the internet or received from untrusted sources. It is part of Microsoft’s security system called Mark of the Web (MotW).
Chaotic Eclipse said that a malicious actor could trigger this behavior using Server Message Block (SMB), a network communication protocol primarily used for sharing files, printers, and serial ports across a local area network (LAN). The researcher continued –
You will need a special setup to exploit this, a custom SMB server that will be handling requests from Windows Defender is needed, the SMB server should serve a malicious file (a good example is mimikatz executable) followed by a massive ADS file (a good example is mimikatz.exe:Zone.Identifier), in the process of replying to the read requests, at some point the SMB server should never respond to the read request but keep the connection alive. This will cause Defender to hang and keep a lock on the offending files that holds the entire disk space.
Obviously this won’t crash the machine but windows won’t behave properly with a full disk, multiple apps and services crash randomly.
The researcher also noted that they managed to reproduce the issue on Windows 11 25H2 and Windows Server 2025, causing Defender to completely exhaust a system’s disk space upon visiting an SMB server, adding they are trying to make the exploit work with WebDAV to skip the authentication requirement.
The Hacker News has contacted Microsoft for comment, and we will update the story if we hear back.
