A patch Microsoft released on Wednesday to repair a zero-day vulnerability in its Defender security engine may cause Windows machines to put in writing files large enough to completely devour available disk space, the researcher who discovered the flaw said.
RoguePlanet, tracked as CVE-2026-50656, got here to public notice in June when NightmareEclipse, the pseudonymous name utilized by a researcher, disclosed it together with code for exploiting it. The vulnerability allows distant attackers to realize administrative control of Windows 10 and Windows 11 machines, even when real-time protection has been disabled. Over the past few months, the anonymous researcher has published a handful of other zero-days which have sent Microsoft scrambling to develop patches.
Writing files of unlimited size
Microsoft said Wednesday that it patched RoguePlanet with an update to the Microsoft Malware Protection Engine, which is utilized by the Defender antivirus app. The fix will mechanically be downloaded and installed without users having to take any motion. Wednesday’s update also includes “defense-in-depth updates to assist improve security-related features.”
In a post on Thursday, NightmareEclipse said the defense-in-depth additions produce behavior which will allow attackers to exhaust all available space on a hard disk drive by writing massive amounts of information to it. The newly introduced mitigations create an issue in mpengine.dll, the motive force related to the Microsoft Malware Protection Engine, that in some cases causes it to leak 8 bytes of information when attempting to open a file. Latest functionality in SpyNet, a cloud service that permits Microsoft Security Essentials or Forefront Endpoint Protection to send reports about suspicious software and programs to Microsoft, also plays a task within the potential mass file-writing behavior.
Defender normally places hard limits on how big a file might be written to disk when scanning and quarantining a machine.
“This implementation make [sic] sense, because quarantining an enormous file will cause Defender to completely exhaust the available disk space,” the researcher wrote. “I discovered a small exception to this rule, apparently the spynet functions in mpengine.dll really wants [sic] to maintain a neighborhood copy of Zone.Identifier ADS file and it doesn’t matter how big this file is, Windows Defender will cache it locally in any case.”

