Microsoft Defender’s RoguePlanet fix, delivered in Malware Protection Engine 1.1.26060.3008, is now under scrutiny for a separate flaw that can reportedly consume all available disk space on Windows 11 25H2 and Windows Server 2025. The issue does not restore RoguePlanet’s SYSTEM-level privilege escalation, but a public proof of concept shows Defender being manipulated into caching an enormous file stream until Windows runs out of storage.
Cybersecurity researcher Nightmare-Eclipse, who originally disclosed RoguePlanet, detailed the new behavior after reverse-engineering Microsoft’s updated
Microsoft had not publicly acknowledged the disk-exhaustion report as of July 14, 2026. That leaves the finding in an important but still provisional category: technically demonstrated by its discoverer, reproduced on two current Microsoft platforms, but not yet confirmed through a Microsoft advisory or an independent technical analysis.
Microsoft Defender normally limits how much data it will write while scanning and quarantining files. Those restrictions are essential because antimalware engines routinely inspect untrusted content, including files large enough to place significant pressure on local storage.
Nightmare-Eclipse says Defender makes an exception when handling
According to the researcher, functions associated with Defender’s SpyNet cloud-protection system attempt to retain a local copy of the
The proof of concept puts a suspicious file and a deliberately oversized
At a carefully selected point, the server stops answering a read request without closing the SMB connection. Defender reportedly remains stuck, holding the cached files open and reserving their storage until the Windows volume is full.
This is not described as an immediate blue-screen condition. The practical result can still be severe: Windows and its applications depend on free space for temporary files, databases, logs, updates, paging operations, and service state. Once the system drive reaches zero free space, applications may crash, services may fail, and administrators can lose normal management paths.
Microsoft addressed that vulnerability with Malware Protection Engine version 1.1.26060.3008. The previous vulnerable engine identified in Microsoft’s information was 1.1.26050.11, and the replacement is distributed through Defender’s routine security intelligence update mechanism rather than solely through a monthly Windows cumulative update.
That distinction matters for administrators checking exposure. The relevant number is the Defender engine version, not simply whether July’s Windows updates appear in Settings or in a patch-management console.
The newly reported disk problem emerged from Nightmare-Eclipse’s analysis of the modified engine. The researcher also claims that Microsoft’s defense-in-depth changes introduced an eight-byte information leak under certain file-opening conditions, although it is currently observable only from kernel drivers and has not been demonstrated as a standard-user exploit.
The disk-exhaustion path is more tangible because the researcher has published a working demonstration. However, it remains unclear whether the vulnerable ADS-caching behavior was newly introduced by version 1.1.26060.3008, altered by the RoguePlanet mitigations, or merely exposed during analysis of the updated code.
That uncertainty is a reason for precise language, not complacency. The original privilege-escalation flaw is patched, while the follow-on finding is a separate, currently unconfirmed denial-of-service risk associated with Defender’s file-handling behavior.
That requirement narrows immediate exposure, particularly on networks where outbound SMB traffic is already blocked. Allowing TCP port 445 from workstations to arbitrary internet hosts has long been discouraged, independently of this Defender finding.
Corporate environments may have more complicated exposure. Windows clients and servers routinely use SMB for file shares, software distribution, administrative workflows, storage appliances, and application data. An attacker who has gained a position inside the network could potentially place the malicious server where endpoints are permitted to reach it.
Nightmare-Eclipse reports reproducing the behavior on Windows 11 25H2 and Windows Server 2025. There is not yet enough public evidence to establish whether Windows 10, earlier Windows 11 releases, other supported Windows Server versions, or Microsoft security products sharing the same engine behavior are affected.
The researcher is also investigating a possible WebDAV variant. If feasible, that could broaden delivery beyond traditional SMB access, but it should not yet be treated as a demonstrated attack path.
For most organizations, the immediate response is conventional network and storage hygiene:
There is no Microsoft-issued KB number, CVE identifier, or official workaround for the follow-on issue yet. Until Microsoft confirms the behavior and ships an engine revision, administrators must balance two facts: RoguePlanet requires the current Defender update, while untrusted SMB access may expose that updated engine to a separate disk-exhaustion technique.
The next meaningful milestone will be either a Microsoft acknowledgement or a Defender engine newer than 1.1.26060.3008 that explicitly changes
Cybersecurity researcher Nightmare-Eclipse, who originally disclosed RoguePlanet, detailed the new behavior after reverse-engineering Microsoft’s updated
mpengine.dll. As reported by PCWorld and Neowin, the attack uses a specially configured SMB server and an oversized Zone.Identifier alternate data stream to turn Defender’s own caching process into a denial-of-service mechanism.Microsoft had not publicly acknowledged the disk-exhaustion report as of July 14, 2026. That leaves the finding in an important but still provisional category: technically demonstrated by its discoverer, reproduced on two current Microsoft platforms, but not yet confirmed through a Microsoft advisory or an independent technical analysis.
Defender’s Size Limit Has an ADS-Shaped Gap
Microsoft Defender normally limits how much data it will write while scanning and quarantining files. Those restrictions are essential because antimalware engines routinely inspect untrusted content, including files large enough to place significant pressure on local storage.Nightmare-Eclipse says Defender makes an exception when handling
Zone.Identifier, an NTFS alternate data stream, or ADS. Windows commonly attaches this metadata to downloaded files as the Mark of the Web, recording that the content originated outside the local computer and may require additional security checks.According to the researcher, functions associated with Defender’s SpyNet cloud-protection system attempt to retain a local copy of the
Zone.Identifier stream regardless of its size. The reported code path therefore lacks the same effective size restrictions Defender applies to ordinary files and quarantine operations.The proof of concept puts a suspicious file and a deliberately oversized
Zone.Identifier stream on an attacker-controlled SMB server. When the Windows machine accesses the share, Defender begins inspecting and caching the content locally.At a carefully selected point, the server stops answering a read request without closing the SMB connection. Defender reportedly remains stuck, holding the cached files open and reserving their storage until the Windows volume is full.
This is not described as an immediate blue-screen condition. The practical result can still be severe: Windows and its applications depend on free space for temporary files, databases, logs, updates, paging operations, and service state. Once the system drive reaches zero free space, applications may crash, services may fail, and administrators can lose normal management paths.
RoguePlanet Is Fixed, but the Patch Trail Matters
RoguePlanet is the name given to CVE-2026-50656, an elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine. The original race condition could allow code already running under a standard user account to obtainNT AUTHORITY\SYSTEM, the highest local privilege context normally available on Windows.Microsoft addressed that vulnerability with Malware Protection Engine version 1.1.26060.3008. The previous vulnerable engine identified in Microsoft’s information was 1.1.26050.11, and the replacement is distributed through Defender’s routine security intelligence update mechanism rather than solely through a monthly Windows cumulative update.
That distinction matters for administrators checking exposure. The relevant number is the Defender engine version, not simply whether July’s Windows updates appear in Settings or in a patch-management console.
The newly reported disk problem emerged from Nightmare-Eclipse’s analysis of the modified engine. The researcher also claims that Microsoft’s defense-in-depth changes introduced an eight-byte information leak under certain file-opening conditions, although it is currently observable only from kernel drivers and has not been demonstrated as a standard-user exploit.
The disk-exhaustion path is more tangible because the researcher has published a working demonstration. However, it remains unclear whether the vulnerable ADS-caching behavior was newly introduced by version 1.1.26060.3008, altered by the RoguePlanet mitigations, or merely exposed during analysis of the updated code.
That uncertainty is a reason for precise language, not complacency. The original privilege-escalation flaw is patched, while the follow-on finding is a separate, currently unconfirmed denial-of-service risk associated with Defender’s file-handling behavior.
The Attack Still Needs a Route to SMB
The published technique is not equivalent to an arbitrary website silently filling every visitor’s SSD. It requires the target to connect to a custom SMB server capable of serving the crafted file and alternate data stream while manipulating the timing of read responses.That requirement narrows immediate exposure, particularly on networks where outbound SMB traffic is already blocked. Allowing TCP port 445 from workstations to arbitrary internet hosts has long been discouraged, independently of this Defender finding.
Corporate environments may have more complicated exposure. Windows clients and servers routinely use SMB for file shares, software distribution, administrative workflows, storage appliances, and application data. An attacker who has gained a position inside the network could potentially place the malicious server where endpoints are permitted to reach it.
Nightmare-Eclipse reports reproducing the behavior on Windows 11 25H2 and Windows Server 2025. There is not yet enough public evidence to establish whether Windows 10, earlier Windows 11 releases, other supported Windows Server versions, or Microsoft security products sharing the same engine behavior are affected.
The researcher is also investigating a possible WebDAV variant. If feasible, that could broaden delivery beyond traditional SMB access, but it should not yet be treated as a demonstrated attack path.
Administrators Should Harden SMB, Not Roll Back Defender
Removing or rolling back the RoguePlanet fix would restore exposure to a publicly documented SYSTEM privilege-escalation vulnerability. Disabling Defender is also not a sound general response while Microsoft investigates a denial-of-service claim tied to one specific content-handling route.For most organizations, the immediate response is conventional network and storage hygiene:
- Block outbound SMB traffic to untrusted networks and the public internet, particularly TCP port 445.
- Restrict workstation access to approved internal SMB servers rather than permitting broad east-west connectivity.
- Alert on abrupt free-space loss and unusual sustained disk activity involving
MsMpEng.exe. - Confirm that endpoints are running Malware Protection Engine 1.1.26060.3008 or newer so that RoguePlanet itself remains patched.
- Keep tested backups and recovery access that do not depend on free space remaining on the affected system drive.
There is no Microsoft-issued KB number, CVE identifier, or official workaround for the follow-on issue yet. Until Microsoft confirms the behavior and ships an engine revision, administrators must balance two facts: RoguePlanet requires the current Defender update, while untrusted SMB access may expose that updated engine to a separate disk-exhaustion technique.
The next meaningful milestone will be either a Microsoft acknowledgement or a Defender engine newer than 1.1.26060.3008 that explicitly changes
Zone.Identifier caching. In the meantime, keeping RoguePlanet patched while denying endpoints unnecessary access to attacker-controlled SMB servers is the safest available course.References
- Primary source: PCWorld
Published: 2026-07-14T15:57:39+00:00
Microsoft's fix for RoguePlanet has its own new disk space bug | PCWorld
The Microsoft Defender patch that fixed RoguePlanet may have introduced a new flaw that lets attackers fill a PC's disk space, a researcher says.www.pcworld.com - Related coverage: malwarebytes.com
Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control | Malwarebytes
Microsoft says it's working on a fix for an unpatched Defender vulnerability that can give attackers the highest level of access on Windows.www.malwarebytes.com - Related coverage: igorslab.de
RoguePlanet in Defender: SYSTEM privileges via Malware Engine
Microsoft closes the RoguePlanet vulnerability in the Defender Malware Protection Engine; the flaw enabled local privilege escalation up to NT AUTHORITYSYST…www.igorslab.de - Related coverage: insights.integrity360.com
Security Advisory: CVE-2026-50656 ("RoguePlanet") – Microsoft Defender Elevation of Privilege Vulnerability
Microsoft has disclosed a high-severity privilege escalation vulnerability in Microsoft Defender, allowing local attackers to gain SYSTEM-level access. Immediate action is recommended.
insights.integrity360.com
- Related coverage: dataaudit.net
RoguePlanet Zero-Day: Microsoft Defender Is the Flaw
A working exploit called RoguePlanet turns Microsoft Defender into an attack vector. No patch exists yet. Here is what happened and what you can do now.www.dataaudit.net - Related coverage: hoploninfosec.com