Windows Defender Patch for RoguePlanet Zero-Day Vulnerability May Exhaust Disk Space on Windows Systems
Microsoft has issued a patch for a critical zero-day vulnerability known as RoguePlanet (CVE-2026-50656) affecting the Microsoft Malware Protection Engine that powers Windows Defender. However, security researcher NightmareEclipse, who originally discovered and disclosed the flaw, warns that the fix itself may cause Windows systems to exhaust all available disk space by writing massive files to the drive.
The vulnerability first gained attention in June when NightmareEclipse published technical details and a working exploit. According to the researcher, RoguePlanet enabled remote attackers to obtain full administrative control over both Windows 10 and Windows 11 even when real-time protection was turned off. In response, Microsoft released an update to the Microsoft Malware Protection Engine component, which is designed to install automatically without requiring user intervention. The company also added additional defensive measures alongside the fix.
Shortly after the patch deployment, NightmareEclipse reported that the update can trigger unintended behavior in which Defender writes enormous volumes of data to disk. The issue is linked to the mpengine.dll library and the SpyNet functions that attempt to locally cache the Zone.Identifier alternate data stream — a Windows metadata mechanism used to track file origin information such as downloads from the internet.
Under normal circumstances, Windows Defender enforces strict size limits on files it creates during scanning and quarantine operations. However, the researcher claims that Zone.Identifier streams are treated as an exception, allowing Defender to store them locally regardless of their size. An attacker can exploit this by setting up a specially crafted SMB server that delivers a malicious file accompanied by an extremely large Zone.Identifier stream while keeping the connection alive. This can cause Defender to hang during processing and consume all remaining free space on the system drive.
While the computer may not crash immediately, a Windows system with a completely full disk tends to exhibit erratic behavior: applications and system services may fail unpredictably, similar to an overloaded server. Microsoft has not yet confirmed or commented on the reported disk-exhaustion issue at the time of publication. The ongoing dispute between the company and NightmareEclipse has lasted several months, with the researcher criticizing Microsoft for inadequate recognition and compensation for discovered vulnerabilities, while the company has expressed concerns about the early public disclosure of exploits before patches were available.