Microsoft Patches 'RoguePlanet' Defender Flaw That Grants SYSTEM Privileges

CVE-2026-50656, a race condition in the Microsoft Malware Protection Engine, let local attackers spawn a SYSTEM-level shell on fully patched Windows hosts. Microsoft has shipped a fix.

Vulnerability AWS Tools

Microsoft has patched a local privilege escalation vulnerability in the Microsoft Malware Protection Engine — the core scanning engine behind Windows Defender — tracked as CVE-2026-50656 and publicly dubbed “RoguePlanet.” The flaw, disclosed by researcher Chaotic Eclipse (aka Nightmare-Eclipse), carries a CVSS score of 7.8 and is rooted in improper link resolution before file access (CWE-59).

The exploit is a race condition: an attacker with local access can win a timing window during a scan operation to get the engine to act on an attacker-controlled file path instead of the intended one, ultimately spawning a command shell with SYSTEM-level privileges. Researchers confirmed the technique worked against fully patched Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates — meaning standard OS patching alone did not close the gap.

What makes this notable is the target: the security software itself. Malware Protection Engine updates ship automatically and outside the normal patch cadence, so most environments will already have received the fix in version 1.1.26060.3008 without any action. But that same automatic-update model is precisely why it’s worth verifying rather than assuming — if Defender updates are blocked by policy, proxy, or offline imaging in your environment, hosts can silently miss engine updates for extended periods.

For teams that rely on Defender as a primary endpoint control, confirm your fleet’s Malware Protection Engine version has advanced past 1.1.26050.x, and check whether any endpoint management or WSUS configuration is inadvertently pinning or delaying engine updates. A flaw in your detection layer is a flaw in your detection coverage story, not just another CVE to track.

Why it matters: The irony here is the attack surface: your endpoint protection engine itself. Confirm the Malware Protection Engine has auto-updated to 1.1.26060.3008 or later across your fleet — this doesn't wait for a normal patch cycle, but it's worth verifying rather than assuming.

Read source →