Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges
July 10, 2026
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
Home/CyberSecurity News/RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space
CyberSecurity News

RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space

Key Takeaways A recent patch for a critical Microsoft Defender vulnerability (CVE-2026-50656) may have introduced new flaws. Security researcher Chaotic Eclipse alleges the patch causes an...

Sarah simpson
Sarah simpson
July 10, 2026 3 Min Read
4 0

Key Takeaways

  • A recent patch for a critical Microsoft Defender vulnerability (CVE-2026-50656) may have introduced new flaws.
  • Security researcher Chaotic Eclipse alleges the patch causes an information leak and a denial-of-service condition that exhausts disk space.
  • The denial-of-service vulnerability affects Windows 11 version 25H2 and Windows Server 2025.
  • Exploitation of the disk exhaustion issue currently requires access to a malicious SMB share.

Microsoft Defender Patch for RoguePlanet Zero-Day Allegedly Introduces New Vulnerabilities

A recent security update for Microsoft Defender, intended to address a high-severity local privilege-escalation flaw dubbed “RoguePlanet,” has reportedly introduced fresh security and reliability concerns. According to independent researcher Chaotic Eclipse, the patch for CVE-2026-50656, integrated into the Microsoft Malware Protection Engine, creates conditions for data leakage and disk space exhaustion.

Table Of Content

  • Key Takeaways
  • Microsoft Defender Patch for RoguePlanet Zero-Day Allegedly Introduces New Vulnerabilities
  • Information Disclosure Claims
  • Denial-of-Service Through Disk Exhaustion
  • What You Should Do

The original RoguePlanet vulnerability, tracked as CVE-2026-50656, is a critical local privilege escalation flaw residing within the Microsoft Malware Protection Engine, the foundational component driving Microsoft Defender’s scanning and remediation capabilities. Microsoft addressed this vulnerability in engine version 1.1.26060.3008, alongside what it described as “defense-in-depth” updates designed to harden the system.

Information Disclosure Claims

Chaotic Eclipse, also known as Nightmare-Eclipse, claims that the new defense-in-depth changes within the mpengine.dll component of the Microsoft Malware Protection Engine can inadvertently disclose eight bytes of data. This occurs during specific file-handling scenarios when Defender attempts to process a specially crafted file.

While the researcher confirmed the eight-byte data leak, they have not yet identified a method for a standard user to retrieve these bytes. Current observations suggest the leaked data is only exposed to drivers, making direct user exploitation challenging. Microsoft has not yet independently verified this reported information disclosure.

Denial-of-Service Through Disk Exhaustion

Of more immediate concern is a separate denial-of-service scenario identified by Chaotic Eclipse. This vulnerability involves Defender’s handling of Zone.Identifier alternate data streams (ADS) during quarantine and reputation checks, potentially leading to the complete exhaustion of local disk space.

Zone.Identifier is a piece of Windows metadata that records the origin or security zone of a file, commonly seen with files downloaded from the internet or accessed from network shares. Typically, Defender implements size limits for scanning and quarantining files to prevent excessively large objects from consuming all available storage.

However, the researcher’s analysis indicates an exception within the mpengine.dll functions linked to Microsoft’s Spynet cloud-protection framework. These functions allegedly retain a local copy of Zone.Identifier data, irrespective of the stream’s size, bypassing the usual safeguards.

Chaotic Eclipse demonstrated this condition using a controlled SMB server. In the proof-of-concept, Defender accessed a file hosted on the server and then attempted to read its associated, intentionally oversized Zone.Identifier ADS. The SMB server then withheld a response to a subsequent read request, causing Defender to remain in a waiting state while continuously reserving disk space for the cached content.

Evidence presented in the report, including screenshots and process-monitoring output, shows the affected Windows volume reaching zero free bytes. Microsoft Defender’s MsMpEng.exe process was observed repeatedly writing data and ultimately encountering “DISK FULL” errors, rather than gracefully terminating the operation. This behavior was successfully reproduced on Windows 11 version 25H2 and Windows Server 2025.

While this condition does not result in a direct system crash, a fully consumed system drive can severely impact operations. Applications may fail, services can become unstable, system updates might fail, and the overall effectiveness of endpoint protection can be compromised.

Currently, exploiting this disk exhaustion vulnerability appears to necessitate a victim system accessing a malicious or researcher-controlled SMB share, which typically involves an authentication step and some user interaction. Chaotic Eclipse is also investigating whether WebDAV could facilitate similar behavior, though initial attempts to access ADS through WebDAV have resulted in STATUS_INVALID_PARAMETERS errors.

What You Should Do

  • Ensure your Microsoft Defender engines are updated to the latest available versions.
  • Restrict unnecessary outbound SMB access from endpoints to mitigate the risk of connecting to malicious shares.
  • Monitor for sudden and unexplained disk consumption events, particularly those involving the MsMpEng.exe process.
  • Investigate any unusually large file activity related to Alternate Data Streams (ADS).
  • Stay informed on official advisories from Microsoft regarding these reported post-patch issues.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

CVEExploitMalwarePatchSecurityzero-day

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

AI Gateways Emerge as New Attack Surface for Enterprise Network Compromise

Next Post

Critical Windows Shortcut Vulnerability Allows Remote Code Execution

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Windows Process Injection Technique Evades 4 EDR Solutions
July 10, 2026
Xalgorix AI Tool Vulnerability Exposes Sensitive Data
July 10, 2026
Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us