Researcher ‘Chaotic Eclipse’ Claims RoguePlanet Defender Patch May Leak Data and Exhaust Disk Space

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Microsoft’s patch for the RoguePlanet Windows Defender zero-day may have introduced new security and reliability concerns, according to researcher Chaotic Eclipse.

The researcher claims that recent defense-in-depth changes in Microsoft Malware Protection Engine’s mpengine.dll can leak eight bytes of data in certain file-handling scenarios and can be abused to exhaust local disk space.

RoguePlanet, tracked as CVE-2026-50656, is a high-severity local privilege-escalation flaw in the Microsoft Malware Protection Engine, the core component behind Microsoft Defender scanning and remediation.

Microsoft addressed the issue in engine version 1.1.26060.3008 alongside additional hardening measures it described as defense-in-depth updates.

RoguePlanet Defender Patch Claim

Chaotic Eclipse, also known as Nightmare-Eclipse, said the newly introduced mitigations appear to create an unintended information-disclosure condition when Defender attempts to open a specially handled file.

The reported issue leaks eight bytes of data, though the researcher said they have not yet found a way for a standard user to retrieve those bytes; current observations indicate that the data is exposed only to drivers. This behavior has not been independently confirmed by Microsoft.

More immediately concerning is a separate denial-of-service scenario involving Defender’s quarantine and reputation-related handling of Zone.Identifier alternate data streams (ADS).

A Zone.Identifier stream is Windows metadata that records a file’s origin or security zone, commonly associated with files downloaded from the internet or obtained from network locations.

According to the researcher’s analysis, Defender generally applies size limits when scanning and quarantining files, a sensible safeguard intended to prevent a very large object from consuming all available storage.

However, the reported exception lies in mpengine.dll functions associated with Microsoft’s Spynet cloud-protection framework, which allegedly retain a local copy of Zone.Identifier data regardless of the stream’s size.

RoguePlanet Defender Patch Claim

The researcher demonstrated the condition using a controlled SMB server. In the proof-of-concept setup, Defender accesses a file hosted on the server and then attempts to read its associated oversized Zone.Identifier ADS.

The server reportedly keeps the SMB session active while withholding a response to a later read request, leaving Defender waiting and retaining disk space for the cached content.

Screenshots shared with the report show the affected Windows volume reaching zero free bytes while the SMB connection remains available. Process-monitoring output appears to show Microsoft Defender’s MsMpEng.exe repeatedly writing data and ultimately receiving DISK FULL results, rather than promptly abandoning the operation.

RoguePlanet Defender Patch Claim

The researcher said the issue was reproduced on Windows 11 version 25H2 and Windows Server 2025. Although the condition is not described as a system crash, a fully consumed system drive can have serious operational consequences: applications may fail to write temporary files, services can become unstable, updates may fail, and endpoint protection operations can be disrupted.

At present, exploitation appears to require a victim system to access a malicious or researcher-controlled SMB share, which generally introduces an authentication and user-interaction barrier.

Chaotic Eclipse is also assessing whether WebDAV could produce similar behavior, but reported that ADS access attempts through the protocol currently fail with STATUS_INVALID_PARAMETERS.

Organizations should ensure Defender engines are updated, restrict unnecessary outbound SMB access, monitor abrupt disk-consumption events involving MsMpEng.exe, and investigate unusually large ADS-related file activity.

Microsoft has not publicly confirmed this alleged post-patch issue, so defenders should treat it as a reported research finding pending vendor validation.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post Researcher ‘Chaotic Eclipse’ Claims RoguePlanet Defender Patch May Leak Data and Exhaust Disk Space appeared first on Cyber Security News.