Patch for Home windows Defender 0-day might permit attackers to fill exhausting disk

A patch Microsoft launched on Wednesday to repair a zero-day vulnerability in its Defender safety engine could trigger Home windows machines to put in writing recordsdata giant sufficient to fully devour obtainable disk house, the researcher who found the flaw stated.
RoguePlanet, tracked as CVE-2026-50656, got here to public discover in June when NightmareEclipse, the pseudonymous identify utilized by a researcher, disclosed it together with code for exploiting it. The vulnerability permits distant attackers to achieve administrative management of Home windows 10 and Home windows 11 machines, even when real-time safety has been disabled. Over the previous few months, the nameless researcher has revealed a handful of different zero-days which have despatched Microsoft scrambling to develop patches.
Writing recordsdata of limitless measurement
Microsoft stated Wednesday that it patched RoguePlanet with an replace to the Microsoft Malware Safety Engine, which is utilized by the Defender antivirus app. The repair will robotically be downloaded and put in with out customers having to take any motion. Wednesday’s replace additionally consists of “defense-in-depth updates to assist enhance security-related options.”
In a publish on Thursday, NightmareEclipse stated the defense-in-depth additions produce conduct that will permit attackers to exhaust all obtainable house on a tough drive by writing large quantities of knowledge to it. The newly launched mitigations create an issue in mpengine.dll, the motive force related to the Microsoft Malware Safety Engine, that in some circumstances causes it to leak 8 bytes of knowledge when attempting to open a file. New performance in SpyNet, a cloud service that enables Microsoft Safety Necessities or Forefront Endpoint Safety to ship reviews about suspicious software program and packages to Microsoft, additionally performs a task within the potential mass file-writing conduct.
Defender usually locations exhausting limits on how huge a file may be written to disk when scanning and quarantining a machine.
“This implementation make [sic] sense, as a result of quarantining an enormous file will trigger Defender to fully exhaust the obtainable disk house,” the researcher wrote. “I discovered a small exception to this rule, apparently the spynet features in mpengine.dll actually desires [sic] to maintain a neighborhood copy of Zone.Identifier ADS file and it doesn’t matter how huge this file is, Home windows Defender will cache it regionally anyhow.”
