Microsoft has patched a local privilege escalation vulnerability in the Microsoft Malware Protection Engine — the core scanning engine behind Windows Defender — tracked as CVE-2026-50656 and publicly dubbed “RoguePlanet.” The flaw, disclosed by researcher Chaotic Eclipse (aka Nightmare-Eclipse), carries a CVSS score of 7.8 and is rooted in improper link resolution before file access (CWE-59).
The exploit is a race condition: an attacker with local access can win a timing window during a scan operation to get the engine to act on an attacker-controlled file path instead of the intended one, ultimately spawning a command shell with SYSTEM-level privileges. Researchers confirmed the technique worked against fully patched Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates — meaning standard OS patching alone did not close the gap.
What makes this notable is the target: the security software itself. Malware Protection Engine updates ship automatically and outside the normal patch cadence, so most environments will already have received the fix in version 1.1.26060.3008 without any action. But that same automatic-update model is precisely why it’s worth verifying rather than assuming — if Defender updates are blocked by policy, proxy, or offline imaging in your environment, hosts can silently miss engine updates for extended periods.
For teams that rely on Defender as a primary endpoint control, confirm your fleet’s Malware Protection Engine version has advanced past 1.1.26050.x, and check whether any endpoint management or WSUS configuration is inadvertently pinning or delaying engine updates. A flaw in your detection layer is a flaw in your detection coverage story, not just another CVE to track.