HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

Microsoft Defender patch may allow disk space exhaustion

Created at 9 Jul · 8:56 PM1 source↑ Market-relevant
IN SHORT

A Microsoft patch for a zero-day vulnerability in its Defender security engine may inadvertently allow attackers to fill hard drives by writing unlimited-sized files, according to the researcher who discovered the flaw.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

8 bytesdata leaked per file open attempt

Who's Involved

Microsoft
released a patch for its Defender security engine
NightmareEclipse
researcher who discovered the zero-day vulnerability
RoguePlanet
zero-day vulnerability tracked as CVE-2026-50656
mpengine.dll
driver associated with Microsoft Malware Protection Engine
SpyNet
cloud service involved in potential mass file-writing behavior
Microsoft Defender patch may allow disk space exhaustion

↳ Why This Matters

The patch intended to fix a critical security flaw in Microsoft Defender may introduce a new vulnerability that could render Windows machines unusable by filling their hard drives, potentially impacting millions of users and their data.

Key facts

  • Microsoft released a patch for a zero-day vulnerability in its Defender security engine.
  • The vulnerability, RoguePlanet (CVE-2026-50656), could allow attackers to gain administrative control.
  • The researcher who found the flaw stated the patch may cause unlimited file writing, exhausting disk space.
  • The issue stems from new 'defense-in-depth' updates in mpengine.dll and SpyNet functionality.
  • Defender normally limits file sizes during scans to prevent disk exhaustion.

Microsoft released a patch on Wednesday to address a zero-day vulnerability in its Defender security engine. However, the researcher who discovered the flaw, operating under the pseudonym NightmareEclipse, stated that the update may inadvertently create a new issue where attackers could fill hard drives by writing files of unlimited size.

The vulnerability, tracked as CVE-2026-50656 and named RoguePlanet, was publicly disclosed in June along with exploit code. It allowed remote attackers to gain administrative control over Windows 10 and Windows 11 machines, even with real-time protection disabled.

Microsoft's update targets the Microsoft Malware Protection Engine, which is integral to the Defender antivirus application. The fix is designed to download and install automatically. However, NightmareEclipse noted that new 'defense-in-depth' updates within the patch introduce a problem in mpengine.dll, the driver for the protection engine. This issue can cause the driver to leak 8 bytes of data when attempting to open a file. Additionally, new functionality in SpyNet, a Microsoft cloud service for reporting suspicious software, contributes to the potential for mass file-writing.

Normally, Defender enforces strict limits on file sizes during scanning and quarantining to prevent disk space exhaustion. NightmareEclipse observed that the SpyNet functions in mpengine.dll appear to bypass these limits, attempting to cache a local copy of the Zone.Identifier ADS file regardless of its size, potentially leading to complete consumption of available disk space.

Frequently asked questions

RoguePlanet, tracked as CVE-2026-50656, is a zero-day vulnerability discovered in Microsoft Defender that allows remote attackers to gain administrative control of Windows machines.

The patch for RoguePlanet may cause new 'defense-in-depth' features to allow attackers to write unlimited-sized files, potentially exhausting all available disk space on a Windows machine.

The original vulnerability affects Windows 10 and Windows 11 machines.

The fix is part of an update to the Microsoft Malware Protection Engine and is designed to download and install automatically.

What Happens Next

01Microsoft is expected to monitor for any further issues arising from the patch.
02Users should ensure their Windows Defender is up-to-date to receive the latest security fixes.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

A zero-day vulnerability in Microsoft Defender, known as RoguePlanet (CVE-2026-50656), was disclosed in June.
The vulnerability allowed remote attackers to gain administrative control of Windows machines.
Microsoft released a patch for the vulnerability on Wednesday.
The researcher who discovered the flaw stated that the patch's new mitigations may cause unlimited file writing, exhausting disk space.

Sources

T1
Patch for Windows Defender 0-day could allow attackers to fill hard diskvar abtest_2162476 = new ABTest(2162476, 'impression');Ars Technica

Related Stories

Impulse Space developing kick stage for military launch competition
9 Jul · 1:15 PM
Ethereum Foundation Uses AI Agents to Find Network Vulnerabilities
9 Jul · 6:30 PM
China unveils high-power microwave weapon arsenal
9 Jul · 2:05 PM
China Eases Restrictions on AI Firms Purchasing Nvidia H200 Chips
9 Jul · 2:15 PM
US-China AI race hinges on electricity access
9 Jul · 12:35 PM