
A patch Microsoft launched on Wednesday to repair a zero-day vulnerability in its Defender safety engine could trigger Home windows machines to write down information massive sufficient to utterly eat out there disk house, the researcher who found the flaw stated.
RoguePlanet, tracked as CVE-2026-50656, got here to public discover in June when NightmareEclipse, the pseudonymous identify utilized by a researcher, disclosed it together with code for exploiting it. The vulnerability permits distant attackers to achieve administrative management of Home windows 10 and Home windows 11 machines, even when real-time safety has been disabled. Over the previous few months, the nameless researcher has printed a handful of different zero-days which have despatched Microsoft scrambling to develop patches.
Writing information of limitless measurement
Microsoft stated Wednesday that it patched RoguePlanet with an replace to the Microsoft Malware Safety Engine, which is utilized by the Defender antivirus app. The repair will robotically be downloaded and put in with out customers having to take any motion. Wednesday’s replace additionally consists of “defense-in-depth updates to assist enhance security-related options.”
In a put up on Thursday, NightmareEclipse stated the defense-in-depth additions produce habits which will enable attackers to exhaust all out there house on a tough drive by writing huge quantities of information to it. The newly launched mitigations create an issue in mpengine.dll, the driving force related to the Microsoft Malware Safety Engine, that in some instances causes it to leak 8 bytes of information when making an attempt to open a file. New performance in SpyNet, a cloud service that enables Microsoft Safety Necessities or Forefront Endpoint Safety to ship stories about suspicious software program and packages to Microsoft, additionally performs a job within the potential mass file-writing habits.
Defender usually locations onerous limits on how massive a file could be written to disk when scanning and quarantining a machine.
“This implementation make [sic] sense, as a result of quarantining an enormous file will trigger Defender to utterly exhaust the out there disk house,” the researcher wrote. “I discovered a small exception to this rule, apparently the spynet capabilities in mpengine.dll actually needs [sic] to maintain a neighborhood copy of Zone.Identifier ADS file and it doesn’t matter how massive this file is, Home windows Defender will cache it domestically in any case.”




