Microsoft Defender RoguePlanet Patch Has a New Disk Space Problem


defender disk usage
Image credit: Microsoft

Microsoft Defender’s RoguePlanet zero-day fix may introduce a separate issue that allows attackers to consume nearly all available disk space on affected Windows systems.

Microsoft acknowledged RoguePlanet, tracked as CVE-2026-50656, last month. The vulnerability affected the Microsoft Defender Malware Protection Engine file mpengine.dll and allowed attackers to elevate their privileges.

Microsoft fixed the flaw last week with Malware Protection Engine version 1.1.26060.3008. All earlier engine versions remain vulnerable, with version 1.1.26050.11 listed as the final affected release.

Researcher finds possible information leak

Security researcher Nightmare-Eclipse analyzed the updated Defender engine and identified a potential eight-byte information leak.

The issue appears connected to Microsoft’s new defense-in-depth protections. Researchers can currently observe the leak only through kernel drivers, not from user mode.

The leak does not appear immediately exploitable, although further research continues.

Defender update may fill the system drive

Nightmare-Eclipse also discovered a more disruptive issue that could cause the patched Defender engine to consume almost all available disk space.

Microsoft Defender normally limits the size of files it scans and quarantines. These restrictions help prevent large or malicious files from consuming excessive storage.

However, the limits reportedly do not apply to cached Zone.Identifier alternate data streams. An attacker could use this behavior to force Defender to create an extremely large ADS cache.

Proof of concept uses a malicious SMB server

The proof of concept relies on a custom SMB server hosting a file with an oversized and specially crafted Zone.Identifier alternate data stream.

The server deliberately delays certain read operations while keeping the SMB connection active. Defender reportedly keeps the cached files locked instead of removing them.

As the process continues, disk usage increases until the affected drive runs out of available space. This could cause applications to fail, interrupt services, or make Windows unstable.

Windows 11 and Windows Server affected

The researcher reproduced the disk exhaustion behavior on Windows 11 25H2 and Windows Server 2025.

Nightmare-Eclipse is also investigating whether attackers could use WebDAV instead of a malicious SMB server. A working WebDAV method could allow attackers to deliver the file over the Internet more easily.

Microsoft has not publicly addressed the reported disk exhaustion issue in its RoguePlanet security advisory.

Via Neowin

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages