Image: Nightmare Eclipse
- CVE: CVE-2026-50656
- CVSS: 7.8 (High · CVSSv3)
- Product: Microsoft Malware Protection Engine
- Affected: 1.1.0.0
- Impact: Microsoft Defender Elevation of Privilege Vulnerability
- Status: No confirmed exploitation yet
- Patched in: 1.1.26060.3008
- EPSS: 3.4% (30-day)
- Action: Update to 1.1.26060.3008 now
TL;DR
Microsoft patched a Microsoft Defender zero-day named RoguePlanet, tracked as CVE-2026-50656. The flaw is a race condition that hands a local attacker SYSTEM privileges. It works on fully patched Windows 10 and 11, even with real-time protection off. A public proof-of-concept exists, but Microsoft reports no exploitation in the wild.
Why it matters
Defender ships on every supported version of Windows. So a bug in its scanning engine reaches a massive install base. This Microsoft Defender zero-day stands out because the attacker abuses the security tool itself to escalate. That turns a defender into an attack surface. Attackers often chain such flaws after a phishing foothold to seize full control.
How the attack works
RoguePlanet abuses a time-of-check to time-of-use race in Defender’s file handling. During a scan, Defender checks a file, then reopens it a moment later. The exploit swaps the file in that narrow gap. Because Defender runs as SYSTEM, the substituted payload then executes with SYSTEM rights. The result is a command prompt with full system access.
The race does not win every time. Still, the researcher reported near-perfect success on some machines and noted that automated retries make it practical. Notably, the exploit works whether Defender’s real-time protection is on or off.
The disclosure dispute
A researcher using the handle Nightmare Eclipse released RoguePlanet hours after the June 2026 Patch Tuesday. The drop is part of a running feud with Microsoft over its bug bounty and disclosure process. After Microsoft removed the researcher’s GitHub and GitLab repositories, they moved the proof-of-concept to a self-hosted Git server. Microsoft has not credited the researcher for the find. RoguePlanet also follows a string of related zero-days from the same person, including BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091).
Affected versions
The bug lives in the Microsoft Malware Protection Engine, mpengine.dll. The last vulnerable engine build is 1.1.26050.11. Defender runs on all supported Windows releases, so the reach is wide.
Patch and mitigation
Microsoft fixed the flaw in Malware Protection Engine 1.1.26060.3008. The engine updates itself by default, so most systems need no action. Admins should still confirm the engine version across the fleet. For version checks, read Microsoft’s CVE-2026-50656 advisory.
Defense tips
Patch first, then reduce the blast radius. Limit local admin rights so SYSTEM on one host does not spread. Favor signature or publisher rules over path-based ones, since the exploit relies on trusted paths. Monitoring for odd file moves inside Windows directories can also catch the chain early.
A caveat after the fix
One issue is worth noting. In a follow-up write-up, the researcher claims the new mitigations still leak a few bytes of data. They also describe a separate quirk where Defender caches an oversized Zone.Identifier stream from a stalling file server. That behavior can hang Defender and exhaust disk space, which destabilizes the host. Treat it as a lower-severity denial-of-service concern, not code execution.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.