Microsoft confirms Defender patch coming for RoguePlanet zero-day

Key Takeaways

• Microsoft assigned CVE-2026-50656 to the RoguePlanet vulnerability and confirmed a patch is in development
• The exploit uses a race condition in Defender to escalate privileges to SYSTEM level on fully patched Windows 10 and 11
• This is the seventh zero-day disclosed by researcher Nightmare Eclipse in an ongoing dispute with Microsoft over bug bounty practices

Microsoft has confirmed it is working on a security patch for RoguePlanet, a zero-day vulnerability in Windows Defender that allows attackers to gain SYSTEM-level privileges. The company assigned the flaw CVE-2026-50656 on Tuesday, one week after a security researcher publicly released exploit code.

The vulnerability affects fully patched Windows 10 and Windows 11 machines. It exploits a race condition in Microsoft's Malware Protection Engine, the core of Defender's real-time scanning. What makes this particularly concerning: the exploit works whether real-time protection is enabled or not.

How the RoguePlanet exploit works

RoguePlanet is a local privilege escalation vulnerability. It abuses a time-of-check-to-time-of-use (TOCTOU) flaw in Defender's file scanning pipeline. An attacker with standard user access can redirect file operations using NTFS reparse points and opportunistic locks, ultimately spawning a command prompt with SYSTEM privileges.

The researcher behind the disclosure, who goes by Nightmare Eclipse, acknowledged the exploit's inconsistent behavior. Race conditions are timing-dependent by nature.

“The exploit is a race condition, so it's a hit or miss. I have managed to get it to work consistently with a bit of timing manipulation.”

— Nightmare Eclipse, Security Researcher

On some machines, the researcher claims a 100% success rate. On others, the exploit struggles. That inconsistency might limit its use in automated attacks, but it remains dangerous for targeted intrusions where an attacker has time to retry.

Why Nightmare Eclipse keeps leaking Microsoft zero-days

RoguePlanet is not an isolated incident. It is the seventh zero-day Nightmare Eclipse has publicly disclosed since 2025. Previous releases include BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Some target Defender; others affect BitLocker and various Windows components.

The researcher's motivation appears rooted in frustration with Microsoft's bug bounty program and vulnerability disclosure practices. Nightmare Eclipse claims Microsoft removed their exploit repositories from GitHub and GitLab, prompting them to move to self-hosted Git. The company has responded with warnings about legal action against "malicious activity causing real harm to our customers," which many in the security community interpreted as a threat directed at the researcher.

Microsoft did patch three of the earlier flaws, GreenPlasma, MiniPlasma, and YellowKey, in the June 2026 Patch Tuesday release. The company has not credited Nightmare Eclipse for discovering RoguePlanet.

What Microsoft says about the fix

Microsoft's advisory offers little detail on timeline or mitigation. "We are working to provide a high quality security update that addresses this vulnerability," the company stated. "We will provide information in this CVE when the update is available."

The vague language is standard for Microsoft when a patch is still in development. But it leaves IT teams without clear guidance. Unlike some privilege escalation bugs, this one does not have a simple workaround since it targets Defender itself.

On Reddit's r/sysadmin, administrators are discussing potential mitigations like restricting ISO and VHD mounting via Group Policy. The effectiveness of such measures against this specific exploit is unclear, and many are frustrated by the difficulty of deploying these changes across large enterprise environments.

The ethics debate around full disclosure

Nightmare Eclipse's approach has split the security community. On Hacker News, some argue that public disclosure, even with working exploit code, forces companies to act on vulnerabilities they might otherwise deprioritize. Others counter that releasing zero-days before patches exist puts users at immediate risk.

The traditional responsible disclosure model gives vendors 90 days to patch before public release. Nightmare Eclipse has bypassed this entirely, citing what they view as Microsoft's bad-faith handling of previous reports. Whether that justifies the risk to millions of Windows users is the question neither side can resolve.

Frequently Asked Questions

Is my Windows PC affected by the RoguePlanet vulnerability?

If you run Windows 10 or Windows 11 with Microsoft Defender, you are potentially affected. The exploit works on fully patched systems and does not require real-time protection to be enabled.

When will Microsoft release a patch for CVE-2026-50656?

Microsoft has not announced a specific date. The company confirmed it is working on a fix but provided no timeline in its advisory.

Can I protect myself before the patch is available?

No official workaround exists. Some administrators are exploring Group Policy restrictions on ISO and VHD mounting, but effectiveness against this specific exploit is unconfirmed.

Who is Nightmare Eclipse?

Nightmare Eclipse is a security researcher who has publicly released seven Microsoft zero-day exploits since 2025, citing disputes with Microsoft's bug bounty and disclosure practices.

Source: BleepingComputer