On Wednesday, Microsoft released a patch for a zero-day vulnerability in its Windows Defender security engine, known as RoguePlanet (CVE-2026-50656). Discovered by the researcher NightmareEclipse, this flaw could allow remote attackers to gain administrative control over Windows 10 and Windows 11 machines, even with real-time protection disabled.
Impact of RoguePlanet Vulnerability
RoguePlanet came to light in June, when NightmareEclipse disclosed the vulnerability alongside exploit code. Microsoft’s patch aims to address the issue; however, it inadvertently introduces a new risk. According to NightmareEclipse, the update may enable attackers to fill a hard drive by writing excessively large files, potentially causing system instability.
The patch, which updates the Microsoft Malware Protection Engine, is automatically downloaded and installed without user intervention. Along with fixing the zero-day vulnerability, it includes additional defense-in-depth updates aimed at enhancing overall security. However, these updates have created a problem in the mpengine.dll driver, which may leak data while opening files.
Technical Details of the Exploit
The vulnerability allows a malicious actor to exploit the behavior of the Server Message Block (SMB) protocol, which is used for sharing files over a local network. NightmareEclipse explains that a custom SMB server can be set up to serve a malicious file followed by a massive ADS file (alternative data stream). This setup can cause Windows Defender to hang, locking files that consume the entire disk space.




