RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space
Key Takeaways A recent patch for a critical Microsoft Defender vulnerability (CVE-2026-50656) may have introduced new flaws. Security researcher Chaotic Eclipse alleges the patch causes an...
Key Takeaways
- A recent patch for a critical Microsoft Defender vulnerability (CVE-2026-50656) may have introduced new flaws.
- Security researcher Chaotic Eclipse alleges the patch causes an information leak and a denial-of-service condition that exhausts disk space.
- The denial-of-service vulnerability affects Windows 11 version 25H2 and Windows Server 2025.
- Exploitation of the disk exhaustion issue currently requires access to a malicious SMB share.
Microsoft Defender Patch for RoguePlanet Zero-Day Allegedly Introduces New Vulnerabilities
A recent security update for Microsoft Defender, intended to address a high-severity local privilege-escalation flaw dubbed “RoguePlanet,” has reportedly introduced fresh security and reliability concerns. According to independent researcher Chaotic Eclipse, the patch for CVE-2026-50656, integrated into the Microsoft Malware Protection Engine, creates conditions for data leakage and disk space exhaustion.
Table Of Content
The original RoguePlanet vulnerability, tracked as CVE-2026-50656, is a critical local privilege escalation flaw residing within the Microsoft Malware Protection Engine, the foundational component driving Microsoft Defender’s scanning and remediation capabilities. Microsoft addressed this vulnerability in engine version 1.1.26060.3008, alongside what it described as “defense-in-depth” updates designed to harden the system.
Information Disclosure Claims
Chaotic Eclipse, also known as Nightmare-Eclipse, claims that the new defense-in-depth changes within the mpengine.dll component of the Microsoft Malware Protection Engine can inadvertently disclose eight bytes of data. This occurs during specific file-handling scenarios when Defender attempts to process a specially crafted file.
While the researcher confirmed the eight-byte data leak, they have not yet identified a method for a standard user to retrieve these bytes. Current observations suggest the leaked data is only exposed to drivers, making direct user exploitation challenging. Microsoft has not yet independently verified this reported information disclosure.
Denial-of-Service Through Disk Exhaustion
Of more immediate concern is a separate denial-of-service scenario identified by Chaotic Eclipse. This vulnerability involves Defender’s handling of Zone.Identifier alternate data streams (ADS) during quarantine and reputation checks, potentially leading to the complete exhaustion of local disk space.
Zone.Identifier is a piece of Windows metadata that records the origin or security zone of a file, commonly seen with files downloaded from the internet or accessed from network shares. Typically, Defender implements size limits for scanning and quarantining files to prevent excessively large objects from consuming all available storage.
However, the researcher’s analysis indicates an exception within the mpengine.dll functions linked to Microsoft’s Spynet cloud-protection framework. These functions allegedly retain a local copy of Zone.Identifier data, irrespective of the stream’s size, bypassing the usual safeguards.
Chaotic Eclipse demonstrated this condition using a controlled SMB server. In the proof-of-concept, Defender accessed a file hosted on the server and then attempted to read its associated, intentionally oversized Zone.Identifier ADS. The SMB server then withheld a response to a subsequent read request, causing Defender to remain in a waiting state while continuously reserving disk space for the cached content.
Evidence presented in the report, including screenshots and process-monitoring output, shows the affected Windows volume reaching zero free bytes. Microsoft Defender’s MsMpEng.exe process was observed repeatedly writing data and ultimately encountering “DISK FULL” errors, rather than gracefully terminating the operation. This behavior was successfully reproduced on Windows 11 version 25H2 and Windows Server 2025.
While this condition does not result in a direct system crash, a fully consumed system drive can severely impact operations. Applications may fail, services can become unstable, system updates might fail, and the overall effectiveness of endpoint protection can be compromised.
Currently, exploiting this disk exhaustion vulnerability appears to necessitate a victim system accessing a malicious or researcher-controlled SMB share, which typically involves an authentication step and some user interaction. Chaotic Eclipse is also investigating whether WebDAV could facilitate similar behavior, though initial attempts to access ADS through WebDAV have resulted in STATUS_INVALID_PARAMETERS errors.
What You Should Do
- Ensure your Microsoft Defender engines are updated to the latest available versions.
- Restrict unnecessary outbound SMB access from endpoints to mitigate the risk of connecting to malicious shares.
- Monitor for sudden and unexplained disk consumption events, particularly those involving the
MsMpEng.exeprocess. - Investigate any unusually large file activity related to Alternate Data Streams (ADS).
- Stay informed on official advisories from Microsoft regarding these reported post-patch issues.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.