
windows defender patch A Microsoft patch for a newly disclosed Windows Defender zero-day may have closed one security hole while introducing another: according to the researcher who found the flaw, the update can cause Windows machines to write files so large that they exhaust the available space on a hard drive.
windows defender patch
Patch for RoguePlanet lands with a new concern
The vulnerability, tracked as CVE-2026-50656 and nicknamed RoguePlanet, first came to public notice in June when a pseudonymous researcher known as NightmareEclipse published details and code for exploiting it. Microsoft released a fix on Wednesday through an update to the Microsoft Malware Protection Engine, the backend used by the Defender antivirus app. The company said the update would be automatically downloaded and installed, with no action required from users. Microsoft also said the package included “defense-in-depth updates to help improve security-related features.”
RoguePlanet is a serious bug by itself. According to the original disclosure, it allows remote attackers to gain administrative control of Windows 10 and Windows 11 systems, even if real-time protection has been disabled. That made it one of a series of recent zero-days that have forced Microsoft into a hurried patch cycle as researchers continue to publish findings ahead of vendor fixes.
How the new issue could fill a disk
In a post on Thursday, NightmareEclipse said the new defense-in-depth changes may enable attackers to consume all available disk space by coercing Defender into writing massive amounts of data. The researcher pointed to behavior in mpengine.dll, the driver associated with the Microsoft Malware Protection Engine, saying that the mitigation can in some cases leak 8 bytes of data when opening a file. A separate piece of new functionality in SpyNet, Microsoft’s cloud service used by Microsoft Security Essentials or Forefront Endpoint Protection to send reports about suspicious software and programs to Microsoft, also appears to contribute to the problem.
Normally, Defender imposes hard limits on the size of files it will write during scanning and quarantine operations. That makes sense, as the researcher noted, because quarantining very large files could otherwise consume all available disk space. But NightmareEclipse said there is an exception tied to the handling of a file’s Zone.Identifier metadata, which Windows uses to record that a file came from the internet or another external source.
“This implementation make [sic] sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space,” the researcher wrote. “I found a small exception to this rule, apparently the spynet functions in mpengine.dll really wants [sic] to keep a local copy of Zone.Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways.”
A Zone.Identifier is a hidden metadata stream, often described as an alternative data stream, that Windows attaches to files downloaded from the internet or received through email or other external sources. It helps Windows mark the file’s origin and assign the appropriate security zone.
Exploit path involves SMB and a custom server
According to NightmareEclipse, the behavior can be triggered using Server Message Block, the file-sharing protocol used across local Windows networks. The researcher said exploitation would require a custom SMB server designed to respond to requests from Windows Defender.
In the example outlined by the researcher, the SMB server would serve a malicious file, such as a mimikatz executable, followed by a very large ADS file, such as mimikatz.exe:Zone.Identifier. During the process of answering read requests, the server would eventually stop responding to one of the read requests while keeping the connection alive. That, NightmareEclipse said, would cause Defender to hang while retaining a lock on the file, effectively holding the disk space used by the file and preventing the system from recovering cleanly.
The result, the researcher said, would not necessarily be a crash, but it could make the system difficult to use. “Obviously this won’t crash the machine but windows won’t behave properly with a full disk, multiple apps and services crash randomly,” the post said.
Microsoft did not immediately respond to questions asking whether it could confirm the behavior described by NightmareEclipse.
Long-running dispute between Microsoft and the researcher
The disclosure is the latest turn in an increasingly public conflict between Microsoft and NightmareEclipse. The feud appears to have begun at least in May, when the researcher said Microsoft had silently patched a vulnerability that had been privately reported. In the weeks that followed, the researcher released details and exploit code for several vulnerabilities before Microsoft had a chance to ship fixes.
Microsoft has criticized the researcher publicly, saying the vulnerabilities were not disclosed responsibly and making a veiled reference to possible legal action. After a backlash from the security community, however, Microsoft walked back that stance and said no such legal action would occur.
Thursday’s post suggests the dispute is still unresolved. It also underscores a familiar challenge for platform vendors: security updates can sometimes create edge-case behavior of their own, especially in complex components like antivirus engines, file quarantine systems and network-based scanning workflows.
Why the issue matters for Windows users
Even if the newly described disk-filling behavior proves harder to exploit in practice than the researcher suggests, the scenario is noteworthy because it affects a core security tool. Defender is meant to help contain threats, not create a new avenue for denial of service. A bug that can consume all free disk space can be disruptive on its own, potentially breaking applications, services and ordinary system operations before administrators have time to respond.
It is also notable that the original zero-day was already severe enough to warrant a rapid Microsoft response. RoguePlanet reportedly gave attackers administrative control on Windows 10 and Windows 11 systems, including systems with real-time protection turned off. That combination of privilege escalation and post-patch side effects helps explain why the case has drawn attention from both researchers and enterprise defenders.
For now, Microsoft’s update remains the official fix for CVE-2026-50656, and the company says it installs automatically. But the researcher’s warning indicates that the patch may deserve close monitoring in environments where disk space, file scanning and SMB traffic intersect. In other words, the latest Defender patch may have closed one door while leaving administrators with another operational concern to watch.
Source: Original report
Was this helpful?
Last Modified: July 10, 2026 at 10:55 am
4 views

