Windows Defender patch may allow hard disk exhaustion attack

Original: Patch for Windows Defender 0-day could allow attackers to fill hard disk

Why This Matters

A faulty security patch introducing new attack vectors highlights the growing complexity of rapid vulnerability response.

Microsoft's July 9, 2026 patch for Windows Defender zero-day CVE-2026-50656 (RoguePlanet) may itself introduce a flaw allowing attackers to write unlimited data to disk, exhausting all available storage. Researcher NightmareEclipse disclosed the issue the day after the patch was released.

Microsoft released a patch on July 9, 2026 for the Windows Defender zero-day vulnerability dubbed RoguePlanet (CVE-2026-50656), which allows remote attackers to gain administrative control of Windows 10 and 11 machines even when real-time protection is disabled. The patch updates the Microsoft Malware Protection Engine and installs automatically. However, NightmareEclipse — the pseudonymous researcher who originally discovered and publicly disclosed RoguePlanet in June — posted on July 10 that the patch's new 'defense-in-depth' mitigations introduce a new problem in mpengine.dll, the Malware Protection Engine driver. The flaw causes an 8-byte data leak when opening certain files. Combined with new SpyNet functionality, Defender loses its normal hard limits on file write sizes. Specifically, Defender's SpyNet functions will cache a local copy of a Zone.Identifier alternative data stream (ADS) file regardless of its size, bypassing the usual disk-space protections. NightmareEclipse noted this could be exploited via the SMB (Server Message Block) protocol. This is one of several zero-days the researcher has published in recent months, each prompting emergency patches from Microsoft.

Source

arstechnica.com — Read original →