Defender 1.1.26060.3008: Block SMB to Stop Windows Disk Exhaustion

Microsoft Defender’s RoguePlanet fix, delivered in Malware Protection Engine 1.1.26060.3008, is now under scrutiny for a separate flaw that can reportedly consume all available disk space on Windows 11 25H2 and Windows Server 2025. The issue does not restore RoguePlanet’s SYSTEM-level privilege escalation, but a public proof of concept shows Defender being manipulated into caching an enormous file stream until Windows runs out of storage.
Cybersecurity researcher Nightmare-Eclipse, who originally disclosed RoguePlanet, detailed the new behavior after reverse-engineering Microsoft’s updated mpengine.dll. As reported by PCWorld and Neowin, the attack uses a specially configured SMB server and an oversized Zone.Identifier alternate data stream to turn Defender’s own caching process into a denial-of-service mechanism.
Microsoft had not publicly acknowledged the disk-exhaustion report as of July 14, 2026. That leaves the finding in an important but still provisional category: technically demonstrated by its discoverer, reproduced on two current Microsoft platforms, but not yet confirmed through a Microsoft advisory or an independent technical analysis.

Cybersecurity illustration showing a Windows PC transferring data to servers, with an overflow warning.Defender’s Size Limit Has an ADS-Shaped Gap​

Microsoft Defender normally limits how much data it will write while scanning and quarantining files. Those restrictions are essential because antimalware engines routinely inspect untrusted content, including files large enough to place significant pressure on local storage.
Nightmare-Eclipse says Defender makes an exception when handling Zone.Identifier, an NTFS alternate data stream, or ADS. Windows commonly attaches this metadata to downloaded files as the Mark of the Web, recording that the content originated outside the local computer and may require additional security checks.
According to the researcher, functions associated with Defender’s SpyNet cloud-protection system attempt to retain a local copy of the Zone.Identifier stream regardless of its size. The reported code path therefore lacks the same effective size restrictions Defender applies to ordinary files and quarantine operations.
The proof of concept puts a suspicious file and a deliberately oversized Zone.Identifier stream on an attacker-controlled SMB server. When the Windows machine accesses the share, Defender begins inspecting and caching the content locally.
At a carefully selected point, the server stops answering a read request without closing the SMB connection. Defender reportedly remains stuck, holding the cached files open and reserving their storage until the Windows volume is full.
This is not described as an immediate blue-screen condition. The practical result can still be severe: Windows and its applications depend on free space for temporary files, databases, logs, updates, paging operations, and service state. Once the system drive reaches zero free space, applications may crash, services may fail, and administrators can lose normal management paths.

RoguePlanet Is Fixed, but the Patch Trail Matters​

RoguePlanet is the name given to CVE-2026-50656, an elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine. The original race condition could allow code already running under a standard user account to obtain NT AUTHORITY\SYSTEM, the highest local privilege context normally available on Windows.
Microsoft addressed that vulnerability with Malware Protection Engine version 1.1.26060.3008. The previous vulnerable engine identified in Microsoft’s information was 1.1.26050.11, and the replacement is distributed through Defender’s routine security intelligence update mechanism rather than solely through a monthly Windows cumulative update.
That distinction matters for administrators checking exposure. The relevant number is the Defender engine version, not simply whether July’s Windows updates appear in Settings or in a patch-management console.
The newly reported disk problem emerged from Nightmare-Eclipse’s analysis of the modified engine. The researcher also claims that Microsoft’s defense-in-depth changes introduced an eight-byte information leak under certain file-opening conditions, although it is currently observable only from kernel drivers and has not been demonstrated as a standard-user exploit.
The disk-exhaustion path is more tangible because the researcher has published a working demonstration. However, it remains unclear whether the vulnerable ADS-caching behavior was newly introduced by version 1.1.26060.3008, altered by the RoguePlanet mitigations, or merely exposed during analysis of the updated code.
That uncertainty is a reason for precise language, not complacency. The original privilege-escalation flaw is patched, while the follow-on finding is a separate, currently unconfirmed denial-of-service risk associated with Defender’s file-handling behavior.

The Attack Still Needs a Route to SMB​

The published technique is not equivalent to an arbitrary website silently filling every visitor’s SSD. It requires the target to connect to a custom SMB server capable of serving the crafted file and alternate data stream while manipulating the timing of read responses.
That requirement narrows immediate exposure, particularly on networks where outbound SMB traffic is already blocked. Allowing TCP port 445 from workstations to arbitrary internet hosts has long been discouraged, independently of this Defender finding.
Corporate environments may have more complicated exposure. Windows clients and servers routinely use SMB for file shares, software distribution, administrative workflows, storage appliances, and application data. An attacker who has gained a position inside the network could potentially place the malicious server where endpoints are permitted to reach it.
Nightmare-Eclipse reports reproducing the behavior on Windows 11 25H2 and Windows Server 2025. There is not yet enough public evidence to establish whether Windows 10, earlier Windows 11 releases, other supported Windows Server versions, or Microsoft security products sharing the same engine behavior are affected.
The researcher is also investigating a possible WebDAV variant. If feasible, that could broaden delivery beyond traditional SMB access, but it should not yet be treated as a demonstrated attack path.

Administrators Should Harden SMB, Not Roll Back Defender​

Removing or rolling back the RoguePlanet fix would restore exposure to a publicly documented SYSTEM privilege-escalation vulnerability. Disabling Defender is also not a sound general response while Microsoft investigates a denial-of-service claim tied to one specific content-handling route.
For most organizations, the immediate response is conventional network and storage hygiene:
  • Block outbound SMB traffic to untrusted networks and the public internet, particularly TCP port 445.
  • Restrict workstation access to approved internal SMB servers rather than permitting broad east-west connectivity.
  • Alert on abrupt free-space loss and unusual sustained disk activity involving MsMpEng.exe.
  • Confirm that endpoints are running Malware Protection Engine 1.1.26060.3008 or newer so that RoguePlanet itself remains patched.
  • Keep tested backups and recovery access that do not depend on free space remaining on the affected system drive.
Storage monitoring is especially important on Windows Server 2025 systems where a full volume could disrupt multiple workloads rather than one user session. Operations teams should also ensure that monitoring agents can report rapidly falling capacity before the volume reaches a point where logging and remote-management services begin to fail.
There is no Microsoft-issued KB number, CVE identifier, or official workaround for the follow-on issue yet. Until Microsoft confirms the behavior and ships an engine revision, administrators must balance two facts: RoguePlanet requires the current Defender update, while untrusted SMB access may expose that updated engine to a separate disk-exhaustion technique.
The next meaningful milestone will be either a Microsoft acknowledgement or a Defender engine newer than 1.1.26060.3008 that explicitly changes Zone.Identifier caching. In the meantime, keeping RoguePlanet patched while denying endpoints unnecessary access to attacker-controlled SMB servers is the safest available course.

References​

  1. Primary source: PCWorld
    Published: 2026-07-14T15:57:39+00:00
  2. Related coverage: malwarebytes.com
  3. Related coverage: igorslab.de
  4. Related coverage: insights.integrity360.com
  5. Related coverage: dataaudit.net
  6. Related coverage: hoploninfosec.com
 

Back
Top