Tech News

Windows Defender RoguePlanet Patch May Be Causing New Side Effects

Just hours after fixing RoguePlanet, a zero-day flaw in Windows Defender, Microsoft is already back in the crosshairs of researcher Nightmare Eclipse. In a new post, he claims the patch itself could open the door to a denial-of-service attack capable of filling the entire disk of a Windows 11 or Windows Server 2025 machine. Here’s what we know.

A patch that could introduce new side effects

On July 8, 2026, Microsoft fixed the RoguePlanet flaw (CVE-2026-50656), a privilege escalation issue that granted SYSTEM rights on fully patched Windows 10 and Windows 11 systems. Microsoft delivered the fix through the Microsoft Defender engine update channel, with version 1.1.26060.3008. I covered it in this dedicated article: Microsoft fixes the RoguePlanet zero-day flaw.

The researcher behind the vulnerability, known under the pseudonyms Nightmare Eclipse and Chaotic Eclipse, has decided to strike again. In a new post, he is no longer talking about RoguePlanet, but about the side effects he says he spotted after installing the patch.

The engine update 1.1.26060.3008 does more than just patch RoguePlanet. It also includes improvements that Microsoft associates with defense in depth, which is meant to harden the analysis engine beyond this specific flaw.

Those very protections would be the source of the problem. According to Nightmare Eclipse, the mitigations added in mpengine.dll could, in some scenarios, cause Windows Defender to leak 8 bytes of data when a file is opened. For now, however, this leak would only be exploitable at the driver level, not from a standard user account. But he is working on it, as you might expect.

A local disk filled through a booby-trapped SMB server

The second issue is already more troublesome. But before getting into it, let’s recall how Windows Defender works: Microsoft’s antivirus enforces strict limits on the size of the files it scans or quarantines. That makes sense, since quarantining a huge file could easily consume disk space.

According to the researcher, the SpyNet-related functions in mpengine.dll⁣ try to keep a local copy of the :Zone.Identifier alternate data stream, regardless of its size. By pointing Defender to a malicious SMB server that serves an oversized :Zone.Identifier stream, then deliberately stops responding to a read request while keeping the connection open, the antivirus would become stuck. It would retain a lock on the affected files and gradually fill the entire disk.

The researcher says he reproduced this behavior on two recent environments:

Windows would not necessarily crash completely, but once the disk is full, things quickly become unstable. Applications and services may stop at random, especially because they can no longer write to disk.

To exploit this attack scenario, a potential attacker must trick the victim into connecting to a booby-trapped SMB server. "I’m trying to make it work with WebDAV so I can bypass the required authentication," Nightmare Eclipse says.

There is little doubt that this tug-of-war between Microsoft and Nightmare Eclipse will have another chapter. You can read the report on this page.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.