Patch for Windows Defender 0-Day Vulnerability Could Enable Disk Space Hijacking by Attackers

Microsoft has reportedly issued a patch to address a zero-day vulnerability in its Defender security engine, but this update may inadvertently lead Windows machines to generate excessively large files, potentially consuming all available disk space. This information was shared by the researcher who uncovered the flaw, known as CVE-2026-50656, identified as “RoguePlanet.”

The vulnerability gained attention in June when a researcher operating under the alias NightmareEclipse disclosed it, providing code to demonstrate its exploitation. RoguePlanet enables remote attackers to achieve administrative control over Windows 10 and Windows 11 systems, even if real-time protection is turned off. Over recent months, the anonymous researcher has brought several zero-day vulnerabilities to light, prompting urgent responses from Microsoft for remedial measures.

On Wednesday, Microsoft announced that it had mitigated the RoguePlanet vulnerability through an update to the Microsoft Malware Protection Engine, utilized by the Defender antivirus application. This patch will be automatically downloaded and installed on users’ machines, negating the need for any action from the end-users. The update also includes enhancements aimed at improving the overall security posture of Defender.

However, following the patch, NightmareEclipse indicated that some of the updates could create scenarios where attackers might abuse the system to fill a hard drive’s storage with massive files. New changes introduced to the mpengine.dll driver might occasionally result in a data leak of 8 bytes while attempting to open a file. Furthermore, an enhancement to Microsoft’s SpyNet—a cloud service that assists Microsoft Security Essentials and Forefront Endpoint Protection in reporting suspicious software—may also contribute to this excessive file-writing behavior.

Typically, Windows Defender imposes strict limitations on file sizes during scans and quarantining procedures. The researcher noted that while such limitations are logical to prevent the exhaustion of available storage, there exists a peculiar exception. The behavior of the SpyNet functions could lead to unwarranted local caching of a file, specifically the Zone.Identifier Alternate Data Stream file, without restriction on its size.

Within the context of this incident, it’s important for business owners to be aware of the potential adversary tactics involved. The initial access tactic could be linked to the way this vulnerability allows unauthorized control over target systems. Additionally, persistence might be observed through the exploitation mechanisms that maintain the attacker’s foothold, while privilege escalation is critical, given that attackers can gain administrative privileges.

Organizations should remain vigilant in the face of such vulnerabilities, as they underscore the necessity of robust cybersecurity measures and timely updates. Understanding the implications of these vulnerabilities, as well as the methods attackers might use, is crucial to mitigating risks in an increasingly complex cyber landscape.

Source