Thu 09 Jul 2026 / 19:48 ET
Kernel
Internet 3 min read

Defender patch may let attackers fill Windows disks, researcher says

Microsoft patched a Defender engine zero-day, but its added mitigations may create a disk-exhaustion bug, according to the researcher who found it.

June Castellano

By June Castellano / Platforms & Power Reporter

Defender patch may let attackers fill Windows disks, researcher says
img: Ars Technica

Microsoft’s fix for a Windows Defender zero-day may have introduced a different problem: a way for an attacker to make Defender cache enough data to consume a Windows machine’s available disk space, according to the researcher who disclosed the original flaw.

The vulnerability, tracked as CVE-2026-50656 and called RoguePlanet by the researcher NightmareEclipse, affects the Microsoft Malware Protection Engine used by Defender. Microsoft said Wednesday that it had patched the issue through an engine update that installs automatically, with no user action required.

RoguePlanet became public in June after NightmareEclipse published details and exploit code. The researcher said the bug could let remote attackers obtain administrative control over Windows 10 and Windows 11 systems, including systems where Defender’s real-time protection had been turned off.

The alleged new failure mode

Microsoft’s advisory said the update also shipped “defense-in-depth” changes meant to improve security-related features. In a Thursday post, NightmareEclipse said those extra changes create a separate behavior in mpengine.dll, the component tied to the Malware Protection Engine.

According to the researcher, the new mitigations can cause the engine to leak 8 bytes of data in some file-opening cases. NightmareEclipse said the more serious practical issue involves SpyNet, Microsoft’s cloud reporting service for suspicious software, and how Defender handles a Windows metadata stream called Zone.Identifier.

Zone.Identifier is an alternate data stream that Windows attaches to files obtained from the Internet, email, or other outside locations. It records origin and security-zone information so Windows and security tools can treat the file accordingly.

Defender normally limits how much data it writes to disk while scanning or quarantining files, according to NightmareEclipse. The researcher said the exception is SpyNet-related handling of Zone.Identifier data, where Defender may keep a local copy regardless of size.

The attack scenario described by NightmareEclipse requires a custom SMB server. That server would present Defender with a malicious file, such as a mimikatz executable, followed by an oversized alternate data stream such as mimikatz.exe:Zone.Identifier. The server would then keep a read request open without completing it, causing Defender to hang while retaining a lock on files that occupy the drive, the researcher said.

NightmareEclipse said the machine would not necessarily crash, but Windows and applications could misbehave once the disk is full. That is plausible enough to be annoying and operationally ugly, if confirmed, but the public claim currently rests on the researcher’s write-up.

Microsoft did not immediately respond to questions asking whether it could confirm the described behavior.

A messy disclosure fight continues

The technical dispute sits inside a broader fight between Microsoft and NightmareEclipse. Since at least May, the researcher has accused Microsoft of silently fixing a privately reported vulnerability. After that, NightmareEclipse released details and exploit code for several Windows issues before Microsoft had patches ready.

Microsoft criticized the researcher’s disclosure practices, saying the vulnerabilities were not being reported responsibly. The company also made a veiled reference to possible legal action, then backed away from that position after public criticism and said no such action would occur.

Thursday’s new claim suggests the quarrel is still producing fresh Windows security drama. Users do not need to manually install Microsoft’s Defender engine fix, but administrators now have another thing to watch: whether the patch that closes RoguePlanet also gives attackers a route to turn disk space into a denial-of-service lever.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗