RoguePlanet: The Windows Defender Bug That Doesn't Care If You Turn It Off

July 15, 2026 · 9 min read

RoguePlanet: The Windows Defender Bug That Doesn't Care If You Turn It Off

TL;DR - A researcher going by Nightmare Eclipse dropped a Windows Defender zero-day called RoguePlanet (CVE-2026-50656) in June, and the headlines doing the rounds this week have the story backwards. The flaw itself is a local privilege escalation bug in Defender's scanning engine that lets someone who already has a foothold on your PC ride a race condition to a full SYSTEM shell, and it works whether Defender's real-time protection is switched on or off. Microsoft shipped the fix this week, 29 days after the exploit went public. Separately, the same researcher says the fix itself introduced a disk-filling bug in how Defender caches a piece of file metadata. That disk problem is a side effect of the patch, not the vulnerability it's fixing. Install the update anyway. A tool that turns your own antivirus into the attack path is worse than one that fills a hard drive.

RoguePlanet By The Numbers

ThingFigure
CVE IDCVE-2026-50656
CVSS severity score7.8 (High)
What it hands an attackerSYSTEM - the highest privilege level on Windows
Works with real-time protection switched offYes - disabling Defender does not close it
Days between public exploit and Microsoft's patch29
Prior Defender-adjacent bug from the same researcherThe YellowKey BitLocker bypass, earlier this year
Where the disk-fill bug actually livesIn the patch's SpyNet caching code, not the original flaw

A reader sent me the wrong headline this week

One of my newsletter readers forwarded me a screenshot on Thursday: "Windows Defender bug fills your whole hard drive, patch now." My first reaction, before I'd read past the headline, was to nod along and file it as one more "just update Windows" story. Then I went and read the actual CVE description and the researcher's own write-up, and realised the popular version of this story has the cause and effect swapped.

RoguePlanet is not a bug that fills your disk. RoguePlanet is a bug that lets someone already on your machine take it over completely. The disk-filling problem is something else, a side effect Microsoft's own fix introduced while closing that hole. Two different bugs, two different weeks, and most of the coverage I've seen mashes them into one scary sentence. I want to pull them apart properly, because the actual story is more useful to know than the shortened one.

What RoguePlanet actually does

CVE-2026-50656 lives inside the Microsoft Malware Protection Engine, the scanning core that Windows Defender runs on every version of Windows 10 and 11. A researcher using the handle Nightmare Eclipse published the technical details and working proof-of-concept code in June, timed to land the same week as Microsoft's regular monthly update. It's rated 7.8 out of 10, and it's a privilege escalation bug: something that turns "I have some access to this machine" into "I have all the access there is."

The mechanism is a race condition. Defender's engine can be tricked, with the right timing, into spawning a command shell running with SYSTEM privileges, the account Windows itself runs as, above a normal administrator. Get that shell, and you own the machine outright: install anything, read anything, disable anything, move to any other machine on the network from there. It's not a remote stranger reaching in from across the internet with zero access to start with. It needs an attacker who already has some presence on the PC, a foothold from a phished credential, a dropped payload, another piece of malware, or a compromised account. What it does with that foothold is the part that matters: it turns a partial compromise into a total one.

What actually stopped me scrolling was that the proof-of-concept works whether Defender's real-time protection is turned on or off. Toggling your antivirus off, which a lot of people do "just for a minute" to install something a nagging pop-up claims Defender is blocking, gave you zero protection either way here. The tool built to be your last line of defence was, for a month, also a door that didn't care if you'd locked it.


Why "just turn Defender off" was never the fix

I've written before about how often "disable the antivirus" shows up as step one in a dodgy PC-cleaner tool or a scammer's remote-access script. RoguePlanet is the cleanest argument yet against that instinct. The people most exposed to this bug for the past month weren't the ones running Defender normally. They were the ones who'd already switched real-time protection off, because that's exactly the population an attacker chasing a foothold-to-SYSTEM bug wants to find: a machine where the security tooling has already been told to stand down, on the assumption that "off" means "out of the picture." Here it didn't. The exploit path ran straight through the engine regardless of its on/off switch.

Microsoft addressed the flaw this week, shipping a fix to the Malware Protection Engine itself (version 1.1.26060.3008) rather than waiting for the next scheduled monthly update, 29 days after Nightmare Eclipse's proof-of-concept went public. That gap is worth sitting with. For a month, a working exploit for full SYSTEM access sat in the open against fully patched Windows 10 and 11 machines, with no setting a normal user could flip to reduce it.

The patch's own wrinkle, and why it's not the same story

The "fills your disk" headline actually comes from a real finding, just not the one it's being reported as. According to Nightmare Eclipse, the changes Microsoft shipped to close RoguePlanet touch a part of Defender's engine tied to SpyNet, the cloud-lookup feature that shares file reputation data back to Microsoft. Those SpyNet-related functions cache a small piece of file metadata called a Zone.Identifier, the same tag that marks a downloaded file as coming from the internet, and the claim is that this caching doesn't respect the file-size limits Defender normally enforces everywhere else it writes to disk.

The proof-of-concept for that involves standing up a rogue SMB file server, serving up an oversized Zone.Identifier tag, and then deliberately stalling the connection while Defender tries to read and cache it. Do that for long enough and Defender holds onto disk space it never releases, eventually running the drive down to zero free bytes: crashed applications, broken logging, a system quietly grinding to a halt. That's a real problem, and it's worth knowing about, particularly if you run a server with limited storage. But it is a denial-of-service bug in this week's patch, not the RoguePlanet vulnerability itself, and as of this week it's a researcher's claim that Microsoft hasn't yet publicly confirmed or separately fixed. Two different bugs, two different CVEs' worth of behaviour, living in the same news cycle because they touch the same file.

What to actually do about it

None of this calls for panic, and none of it calls for turning anything off. The practical version:

  1. Install this week's Windows Defender update. It closes a bug that hands out full SYSTEM control to anyone who gets a foothold on your machine. A drive that might fill up under a very specific, deliberately-engineered attack is a much smaller problem than that.
  2. Keep Windows Update turned on, full stop. The Malware Protection Engine updates itself automatically for almost everyone; you don't need to hunt down a manual download.
  3. Don't let a "PC cleaner" or "speed booster" app talk you into disabling Defender. RoguePlanet is the clearest proof I've seen this year that turning your antivirus off doesn't take it out of the blast radius. It can still be the thing an attacker walks through.
  4. If you run a server or a machine with limited free space, keep an eye on disk usage for the next little while as this second issue gets sorted out. For a normal home PC or laptop, it's not something to lose sleep over.
  5. Don't chase this one down yourself with registry tweaks or third-party "fixes". Wait for Microsoft's update, same as always. Homemade mitigations for engine-level bugs tend to create new problems rather than close old ones.

Key Takeaways

  • RoguePlanet (CVE-2026-50656) is a local privilege escalation bug, not a disk-filling bug. It lets someone who already has a foothold on your PC ride a race condition in Defender's engine to full SYSTEM control.
  • Turning Defender off didn't help. The proof-of-concept worked with real-time protection on or off, which is the actual headline this story deserves.
  • Microsoft patched it 29 days after the public exploit, via an engine update rather than a scheduled Patch Tuesday release.
  • The disk-fill problem lives in the patch, not the flaw. It's a separate, so-far-unconfirmed claim about how the fix caches file metadata, and it's a denial-of-service issue, not a takeover.
  • Install the update regardless. A bug that can hand out full control of your machine is the one you want closed first.

FAQ

Q: Do I need to do anything beyond letting Windows update as normal?

No. For almost everyone, the Malware Protection Engine updates itself in the background. Check Windows Update shows you're current and move on with your week.

Q: Should I turn off real-time protection until this all settles down?

No, and RoguePlanet is exactly why. The exploit worked the same whether protection was on or off, so switching it off buys you nothing against this bug and removes protection against everything else Defender normally catches.

Q: I run a home server or NAS with Windows on it. Should I worry about the disk-fill claim?

Keep an eye on free disk space for now, since that report specifically targets machines with exposed file-sharing services and limited storage. It's not confirmed or independently reproduced yet, so I wouldn't rebuild anything around it, just watch it.

Q: Who is Nightmare Eclipse, and why do they keep finding these?

An anonymous researcher who's published more than one Windows security bug this year, including the YellowKey BitLocker bypass I wrote about in May, reportedly stemming from an unresolved dispute with Microsoft over how vulnerability reports get handled. Whatever the motive, the bugs themselves have checked out as real each time, this one included.

Q: Does this mean Windows Defender is bad and I should switch antivirus products?

No. Every major security engine has had privilege escalation bugs; Defender finding and fixing one in under a month is the system working, even with an awkward extra wrinkle in the fix. Swapping products doesn't remove that category of risk, it just moves it somewhere you're less familiar with.

My Take

The part of this story that stuck with me isn't the bug itself, it's how confidently the wrong version of it spread. "Patch fills your hard disk" is a much easier headline to write and share than "an engine-level race condition lets a partial compromise become a total one regardless of your settings," so that's the version that travelled. I nearly repeated it myself before I'd read past the first line.

The real lesson from RoguePlanet isn't about disk space. It's that the tool sitting between you and an attacker can itself become the path in, and that flipping its switch to "off" isn't a workaround, it's just one less thing standing in the way. Install the update, leave Defender running the way Microsoft ships it, and treat any advice that tells you to switch your security tooling off "just for a moment" with the same suspicion you'd give a stranger asking to borrow your house key for a minute.

Stay safe out there, Mat C


Mathew Clark Founder, SecureInSeconds Currently: leaving Defender's real-time protection exactly where Microsoft put it.

Further Reading

Share:

You might also like