Technology

Researcher says Defender fix may let attackers fill Windows disks

Microsoft patched a Defender zero-day, but the researcher who found it says the update may create a disk-exhaustion problem.

James Whitfield

By James Whitfield · Staff Writer

3 min read

Researcher says Defender fix may let attackers fill Windows disks
Photo: Ars Technica

Microsoft’s latest fix for a Windows Defender zero-day may introduce a separate problem that lets attackers consume all available disk space on affected systems, according to the researcher who reported the behavior. The claim matters because the update targets Defender’s security engine, a component that updates automatically on Windows machines.

Microsoft said Wednesday that it addressed CVE-2026-50656, a vulnerability known as RoguePlanet, through an update to the Microsoft Malware Protection Engine used by Defender. The company said the update would download and install automatically and also included defense-in-depth changes meant to improve security-related features.

RoguePlanet became public in June after a pseudonymous researcher using the name NightmareEclipse disclosed the flaw and released exploit code, according to Ars Technica. The vulnerability allows remote attackers to gain administrative control of Windows 10 and Windows 11 systems, even if real-time protection has been turned off, according to the researcher’s disclosure as reported by Ars.

Researcher points to new file-writing behavior

In a Thursday post, NightmareEclipse said the additional protections added by Microsoft may cause Defender to write data until a drive runs out of free space. The researcher said the issue involves mpengine.dll, the driver tied to the Microsoft Malware Protection Engine, and can produce an 8-byte data leak in some cases when Defender tries to open a file.

NightmareEclipse also said new functionality in SpyNet, Microsoft’s cloud reporting service for suspicious software, contributes to the behavior. According to the researcher, Defender usually enforces limits on how large files can be when it scans or quarantines content, because storing very large files could consume disk space.

The researcher said an exception appears to involve Zone.Identifier alternate data streams. Windows uses Zone.Identifier metadata to record where a file came from, such as the Internet, email or another outside source, and to apply the appropriate security zone.

NightmareEclipse said Defender will cache a local copy of a Zone.Identifier stream regardless of its size. In the scenario described by the researcher, that can be abused to make Defender hold files that occupy the disk.

SMB attack scenario described

The researcher said exploiting the issue would require a custom SMB server that serves a malicious file followed by a very large alternate data stream, using an example such as a Mimikatz executable and a related Zone.Identifier stream. NightmareEclipse said the server would then keep a read request alive without responding, causing Defender to hang while retaining a lock on files that take up disk space.

According to NightmareEclipse, that condition would not crash Windows outright, but a full disk could make Windows unstable and cause applications and services to fail unpredictably. Ars Technica reported that Microsoft did not immediately respond to questions about whether it could confirm the described behavior.

The disclosure follows months of friction between Microsoft and NightmareEclipse. According to Ars Technica, the dispute began after the researcher said Microsoft silently fixed a vulnerability they had privately reported; the researcher later released details and exploit code for other vulnerabilities before Microsoft had patches ready.

Microsoft criticized the researcher for disclosing flaws “not responsibly” and made an indirect reference to possible legal action, according to Ars Technica. After public criticism, Microsoft said it would not pursue such action.

This story draws on original reporting from Ars Technica.