Patch for Windows Defender 0-day could allow attackers to fill hard disk

by | Jul 14, 2026 | Technology

News summary produced by Claude AI

Microsoft released a security update on Wednesday addressing CVE-2026-50656, a zero-day vulnerability in its Defender antivirus engine that allowed remote attackers to gain administrative access to Windows 10 and Windows 11 machines. The vulnerability, tracked under the name RoguePlanet, was initially disclosed publicly in June by NightmareEclipse, a pseudonymous security researcher who also released exploit code.

According to NightmareEclipse, the defense-in-depth mitigations included in Microsoft’s patch may introduce a new problem. The researcher stated that modifications to the Microsoft Malware Protection Engine driver could permit attackers to completely fill a system’s hard drive by writing massive amounts of data. The issue stems from how the updated SpyNet functionality in the engine handles Zone. Identifier alternative data streams—hidden metadata files that Windows associates with downloaded or externally sourced files. Unlike normal Defender operations, which impose file size limits during scanning and quarantine procedures, the SpyNet functions reportedly attempt to cache Zone. Identifier files without size restrictions.

NightmareEclipse detailed a potential exploitation method involving a custom Server Message Block server that could serve malicious files alongside enormous alternative data streams, causing Defender to hang while maintaining file locks that consume all available disk space. While such an attack would not crash the system, the researcher noted that a full disk would cause widespread application and service failures. Microsoft acknowledged the report on July 13 and stated it is investigating the matter.

This incident represents another chapter in an escalating dispute between the researcher and Microsoft dating back to May. The conflict began when NightmareEclipse alleged that Microsoft silently patched a privately reported vulnerability without proper notification. Subsequently, the researcher publicly disclosed multiple vulnerabilities and exploit code prior to Microsoft’s patch releases. Microsoft initially threatened legal action for irresponsible disclosure practices, but reversed course following public criticism.

Article Attribution | Read More at Article Source