Microsoft Defender RoguePlanet Patch Has a New Disk Space Problem
Microsoft Defender’s RoguePlanet zero-day fix may introduce a separate issue that allows attackers to consume nearly all available disk space on affected Windows systems.
Microsoft acknowledged RoguePlanet, tracked as CVE-2026-50656, last month. The vulnerability affected the Microsoft Defender Malware Protection Engine file mpengine.dll and allowed attackers to elevate their privileges.
Microsoft fixed the flaw last week with Malware Protection Engine version 1.1.26060.3008. All earlier engine versions remain vulnerable, with version 1.1.26050.11 listed as the final affected release.
Researcher finds possible information leak
Security researcher Nightmare-Eclipse analyzed the updated Defender engine and identified a potential eight-byte information leak.
The issue appears connected to Microsoft’s new defense-in-depth protections. Researchers can currently observe the leak only through kernel drivers, not from user mode.
The leak does not appear immediately exploitable, although further research continues.
Defender update may fill the system drive
Nightmare-Eclipse also discovered a more disruptive issue that could cause the patched Defender engine to consume almost all available disk space.
Microsoft Defender normally limits the size of files it scans and quarantines. These restrictions help prevent large or malicious files from consuming excessive storage.
However, the limits reportedly do not apply to cached Zone.Identifier alternate data streams. An attacker could use this behavior to force Defender to create an extremely large ADS cache.
Proof of concept uses a malicious SMB server
The proof of concept relies on a custom SMB server hosting a file with an oversized and specially crafted Zone.Identifier alternate data stream.
The server deliberately delays certain read operations while keeping the SMB connection active. Defender reportedly keeps the cached files locked instead of removing them.
As the process continues, disk usage increases until the affected drive runs out of available space. This could cause applications to fail, interrupt services, or make Windows unstable.
Windows 11 and Windows Server affected
The researcher reproduced the disk exhaustion behavior on Windows 11 25H2 and Windows Server 2025.
Nightmare-Eclipse is also investigating whether attackers could use WebDAV instead of a malicious SMB server. A working WebDAV method could allow attackers to deliver the file over the Internet more easily.
Microsoft has not publicly addressed the reported disk exhaustion issue in its RoguePlanet security advisory.
Via Neowin
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages