BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

Windows Defender 0-Day Patch Fixes Disk-Filling Attack Risk

Originally published on: July 10, 2026
▼ Summary

– Microsoft patched zero-day vulnerability CVE-2026-50656 in the Microsoft Malware Protection Engine, allowing remote attackers to gain administrative control of Windows 10 and 11.
– The fix is automatically downloaded and installed, and includes defense-in-depth updates to improve security features.
– Researcher NightmareEclipse reported that the defense-in-depth updates can cause Windows machines to write files large enough to completely exhaust disk space.
– The issue stems from a leak of 8 bytes of data in mpengine.dll when opening a file, combined with SpyNet functionality that caches local copies of files.
– Defender normally limits file size during scanning and quarantining, but the SpyNet functions do not apply this limit, allowing unlimited file writing.

Microsoft’s latest security patch for a critical zero-day vulnerability in its Defender antivirus engine carries an unexpected side effect: it can trigger the writing of files large enough to completely fill up a hard drive, the researcher who originally reported the flaw has warned.

The vulnerability, tracked as CVE-2026-50656 and dubbed RoguePlanet, was first made public in June by a researcher operating under the pseudonym NightmareEclipse. At that time, the researcher released both details and exploit code. The bug allows remote attackers to gain full administrative control over Windows 10 and Windows 11 machines, even when real-time protection is turned off. Over recent months, the same anonymous researcher has disclosed several other zero-day flaws, each prompting emergency patching efforts from Microsoft.

On Wednesday, Microsoft announced it had addressed RoguePlanet through an update to the Microsoft Malware Protection Engine, the core component used by the Defender antivirus app. The fix is delivered automatically, requiring no user action. The update also includes what Microsoft describes as “defense-in-depth updates to help improve security-related features.”

In a follow-up post on Thursday, NightmareEclipse explained that these defense-in-depth additions introduce a new problem. The mitigations create a bug in mpengine.dll, the driver tied to the Malware Protection Engine, which can cause it to leak 8 bytes of data each time it attempts to open a file. This behavior, combined with new functionality in SpyNet (a Microsoft cloud service that Security Essentials and Forefront Endpoint Protection use to report suspicious software), can lead to massive file-writing activity.

Normally, Defender imposes strict limits on the size of files it writes to disk during scanning and quarantining. This restriction prevents the antivirus tool from exhausting available storage. However, the researcher found an exception. “This implementation make sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space,” NightmareEclipse wrote. “I found a small exception to this rule, apparently the spynet functions in mpengine.dll really wants to keep a local copy of Zone. Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways.”

(Source: Ars Technica)

Topics

zero-day vulnerability 95% microsoft security patch 93% disk space exhaustion 90% defender security engine 88% remote code execution 87% researcher disclosure 85% malware protection engine 84% file writing bug 82% spynet cloud service 80% defense-in-depth updates 78%