Patch for Windows Defender 0-day could allow attackers to fill hard disk

← Back to the feed

Patch for Windows Defender 0-day could allow attackers to fill hard disk

Ars Technica · 2 hours ago

Microsoft released a patch on Wednesday to fix a serious zero-day vulnerability in its Windows Defender security engine, but the researcher who found the original flaw says the fix itself introduces a new weakness that could let attackers fill a victim's hard disk entirely. The original vulnerability, dubbed RoguePlanet (CVE-2026-50656), allowed remote attackers to gain administrative control of Windows 10 and 11 machines even with real-time protection turned off, so the reliability of Microsoft's response matters considerably for millions of users.

According to the pseudonymous researcher NightmareEclipse, the "defence-in-depth" additions bundled with the patch create a fault in mpengine.dll that, combined with new SpyNet functionality, bypasses Defender's normal limits on file size. Because Defender insists on caching a local copy of a downloaded file's Zone.Identifier metadata regardless of size, an attacker running a specially configured SMB server could serve a malicious file followed by a massive data stream, then stall the connection, causing Defender to hang and lock up the entire disk. The disclosure comes amid a months-long, increasingly bitter dispute between NightmareEclipse and Microsoft over the researcher's practice of publicly releasing exploit code before patches are ready.

  • Microsoft's Defender patch may itself let attackers exhaust a machine's disk space.
  • Original RoguePlanet flaw gave remote admin control of Windows 10 and 11.
  • Researcher and Microsoft remain locked in a bitter disclosure feud.

Business Markets

Read the full article at the source →