Patch for Windows Defender 0-day could allow attackers to fill hard disk

A recent patch released by Microsoft to address a zero-day vulnerability in its Defender security engine has inadvertently raised concerns regarding potential disk space issues for Windows users. The vulnerability, identified as RoguePlanet and tracked under CVE-2026-50656, was first brought to light in June by a researcher known as NightmareEclipse. This flaw allows remote attackers to gain administrative control over Windows 10 and Windows 11 systems, even when real-time protection features are disabled.

Writing files of unlimited size

On Wednesday, Microsoft announced that it had implemented a fix for RoguePlanet through an update to the Microsoft Malware Protection Engine, which underpins the Defender antivirus application. This update is designed to be automatically downloaded and installed, requiring no action from users. Alongside the patch, Microsoft included additional “defense-in-depth” updates aimed at enhancing security features.

However, in a follow-up post on Thursday, NightmareEclipse highlighted that these defense-in-depth measures could lead to unintended consequences. Specifically, they may enable attackers to fill a hard drive to capacity by writing excessive amounts of data. The modifications introduced in the mpengine.dll driver, which is integral to the Microsoft Malware Protection Engine, can result in a data leak of 8 bytes when attempting to open a file. Furthermore, new functionalities in SpyNet, a cloud service that facilitates the reporting of suspicious software to Microsoft, contribute to this potential for mass file-writing behavior.

Typically, Defender imposes strict limits on the size of files that can be written to disk during scanning and quarantining processes. NightmareEclipse noted, “This implementation makes sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space.” However, the researcher discovered an exception: the spynet functions in mpengine.dll seem to insist on maintaining a local copy of the Zone.Identifier Alternate Data Stream (ADS) file, regardless of its size, leading to potential disk space exhaustion.

Winsage
Patch for Windows Defender 0-day could allow attackers to fill hard disk