Microsoft has fixed the critical privilege escalation vulnerability CVE-2026-50656 (RoguePlanet) in Microsoft Defender, rated 7.8 on the CVSS scale, but according to unconfirmed researcher reports, the released patch may have created a new vector for denial-of-service attacks. The issue affects Windows 10 and Windows 11 systems, and the Microsoft Malware Protection Engine update to version 1.1.26060.3008 is installed automatically. Administrators are advised to verify the engine version and monitor free disk space on critical systems until Microsoft provides official clarification.
Original RoguePlanet vulnerability
According to the official Microsoft advisory, the CVE-2026-50656 vulnerability is related to a race condition in Microsoft Defender. As stated in the entry in NVD, the vulnerability received a score of 7.8 on the CVSS scale, which corresponds to a high severity level. Exploitation allows an attacker to escalate privileges to SYSTEM and execute arbitrary code on fully patched systems.
Exploitation status: there is a public PoC exploit for this vulnerability, but at the time of publication there have been no confirmed cases of active exploitation in real-world attacks. The vulnerability is not listed in the CISA KEV catalog.
Alleged regression: DoS vector via Zone.Identifier
In addition to the main fix, the update included extra protective measures. Researcher Nightmare Eclipse claims in their blog that these measures created a potential vector for a DoS attack capable of completely filling the system disk. It is important to emphasize that this claim is based on a single source and has not been confirmed by Microsoft.
According to the researcher’s description, the mechanics of the issue look as follows:
- Under normal conditions, Defender limits the size of files written during scanning and when placing objects into quarantine, preventing disk space exhaustion.
- After the update, an exception allegedly appeared that is related to the SpyNet cloud subsystem and the handling of NTFS Alternate Data Streams (ADS) of type Zone.Identifier.
- Zone.Identifier is a hidden ADS that Windows automatically adds to files downloaded from the internet, storing information about the file’s origin and its security zone.
- According to the researcher, after the update Defender attempts to save a local copy of Zone.Identifier without limiting the size of the stream.
Described exploitation scenario
According to Nightmare Eclipse’s unconfirmed description, exploitation requires a specially configured SMB server that:
- Processes requests from Windows Defender and serves a suspicious executable file (the researcher cites Mimikatz as an example).
- Begins transmitting an abnormally large alternate data stream (for example, mimikatz.exe:Zone.Identifier).
- At a certain point stops responding to read requests but does not close the connection.
As a result, the researcher claims that Defender continues writing data to disk even after processing of the object fails, until free space is completely exhausted. The operating system allegedly continues to run, but the full disk triggers multiple failures in applications and system services.
Degree of reliability and Microsoft’s position
It is necessary to take into account significant limitations in assessing this information:
- The description of the new attack vector comes from a single source — the researcher’s blog — and has not been confirmed by independent experts.
- At the time of publication, Microsoft has not confirmed the described Defender behavior and has not responded to media inquiries on this issue.
- Details of the exploitation chain via SMB and unrestricted ADS writes have not been verified by primary vendor sources.
Context: Nightmare Eclipse’s series of disclosures
The RoguePlanet situation is part of an ongoing conflict between the researcher and Microsoft. According to available information, Nightmare Eclipse has disclosed several zero-day vulnerabilities in Windows components, including CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), CVE-2026-45498 (UnDefend), CVE-2026-45585 (YellowKey), and CVE-2026-45586 (GreenPlasma). The researcher accuses the Microsoft Security Response Center of ignoring reports and blocking their accounts, while Microsoft has criticized the publication of exploits before patches are released but later stated it had no intention of pursuing security researchers.
Recommendations
- Check the engine version: make sure the Microsoft Malware Protection Engine is updated to version 1.1.26060.3008 or later — this closes the confirmed CVE-2026-50656 vulnerability.
- Monitor disk space: until Microsoft issues an official position on the alleged regression, configure alerts for critical drops in free space on system disks of servers and workstations.
- Control SMB traffic: on the perimeter and inside the network, restrict incoming SMB connections to trusted sources. This reduces risk both for the described scenario and for many other SMB-based attacks.
- Audit Defender quarantine: periodically check the size of the Microsoft Defender quarantine directory for abnormal growth.
The main confirmed threat — CVE-2026-50656 — has already been mitigated by the automatic Defender engine update. The alleged side effect of the patch in the form of a DoS via Zone.Identifier remains an unconfirmed single claim. Until Microsoft issues an official response, reasonable measures include setting up disk space monitoring and restricting SMB access to untrusted resources — actions that are useful regardless of whether the new issue is confirmed.