Microsoft issued a critical update for its Defender antivirus engine earlier this month to close a dangerous privilege-escalation vulnerability known as RoguePlanet. Now, a security researcher has shown that the same patched engine can be tricked into eating up all available disk space on Windows machines, creating a denial-of-service risk—but administrators shouldn’t even think about rolling back.

The discovery, made by researcher Nightmare-Eclipse and first reported by Neowin and Ars Technica, reveals a flaw in how Defender version 1.1.26060.3008 handles a specific type of metadata attached to downloaded files. An attacker who can coerce a system into scanning a specially prepared file over a network share can force Defender to cache enormous amounts of data, silently filling the hard drive until applications fail, logs stop writing, and the machine becomes unstable.

The RoguePlanet Fix You Can’t Afford to Skip

The patch in question closes CVE-2026-50656, a zero-day dubbed RoguePlanet that Microsoft rated with a CVSS score of 7.8. Successful exploitation allows any standard user—no admin rights needed—to escalate privileges all the way to NT AUTHORITY\SYSTEM, the highest possible level on Windows. That kind of access gives an attacker complete control: install malware, steal credentials, disable security software, and move laterally across a network.

The fix arrived not through the usual Patch Tuesday routine but as a silent update to the Microsoft Malware Protection Engine. Version 1.1.26060.3008 replaced the vulnerable build 1.1.26050.11. Because Defender pulls down new engine versions automatically alongside its daily security intelligence updates, most connected PCs received the fix without any user action. Anyone still on the older engine is wide open to a proven attack that requires only that Defender scan a malicious file.

You can check your own engine version by opening Windows Security, clicking on Virus & threat protection, selecting “Check for updates,” then going to Settings > About. The “Engine Version” line tells the story. Alternatively, run Get-MpComputerStatus in PowerShell and look for the AMEngineVersion field.

How an Attacker Can Fill Your Drive

The newly uncovered weakness sits in Defender’s handling of alternate data streams, or ADS. NTFS, the file system on most Windows drives, lets each file carry extra streams of data that don’t appear in the main file. Windows uses a stream called Zone.Identifier to store Mark-of-the-Web information—where a file came from, which security zones it belongs to. That’s what tells Office to open a downloaded document in Protected View or triggers SmartScreen warnings.

Defender normally imposes strict size limits on everything it scans and caches, precisely because it runs with elevated privileges and often processes attacker-controlled content. Nightmare-Eclipse found that those limits aren’t properly applied when the patched engine caches a Zone.Identifier stream. An oversized stream can slip past the guardrails, and a cleverly stalled network read keeps the cache file locked open while data piles up on the victim’s drive.

The attack requires a custom SMB server that serves a file with a bloated Zone.Identifier stream and intentionally delays responses at key moments. The victim must access that server over the network—simply encountering a normal web download or email attachment won’t trigger the flaw. That raises the bar for exploitation, especially on networks that block outbound SMB traffic or filter TCP port 445 at the perimeter.

Once triggered, the disk fills silently. Defender doesn’t show an alert, and standard antivirus events don’t fire. End users might first notice when applications start freezing, document saves fail, or the system warns about critically low disk space. On servers, the impact can cascade quickly: database transactions abort, event logs stall, and monitoring tools go blind.

What This Means for Home Users

For most individuals running Windows 11 or Windows 10 with Defender as their primary antivirus, the immediate risk is low. Exploitation requires a custom SMB server and a way to lure the victim into accessing it. Home networks typically don’t expose SMB to the internet, and mainstream malware campaigns have not adopted this technique. There are no reports of in-the-wild attacks targeting this specific behavior.

Still, it’s a reminder that every security fix carries a small chance of regression. The key takeaway is simple: do not disable Defender or attempt to roll back the engine. Leaving the RoguePlanet vulnerability open is far worse than facing a theoretical disk-filling scenario that hasn’t been seen outside a research lab.

For IT Administrators: Practical Steps Right Now

Enterprise defenders should treat this as a monitoring and network control challenge, not an unpatch-and-retreat emergency. Rolling back to engine 1.1.26050.11 opens the door to a real, weaponizable privilege escalation. Instead, focus on these immediate actions:

  • Verify engine version fleet-wide. Use Windows Event log queries or a management tool to confirm all endpoints are on 1.1.26060.3008 or later.
  • Alert on sudden disk-space drops. Set thresholds for system drives, especially when combined with unusual SMB connections. Tools like Windows Performance Monitor or your SIEM can flag low-free-space events quickly.
  • Restrict outbound SMB. Block TCP port 445 at the network edge and limit it internally to servers that genuinely require it. No workstation should be browsing arbitrary SMB paths on the internet.
  • Do not manually delete Defender cache files. Forced removals can corrupt the engine state or cause false positives. Wait for an official update.
  • Watch for another engine revision. Microsoft ships Malware Protection Engine updates frequently, often outside the regular monthly cycle. The fix for this disk-exhaustion issue will likely arrive as a new engine version, not a traditional KB update.

Additionally, Nightmare-Eclipse mentioned a separate eight-byte information leak in the same engine, but that finding requires kernel-level access and has no known practical exploit path. It’s a lower priority than the disk-fill issue.

How We Got Here: A Timeline of July’s Defender Surprises

Microsoft originally disclosed RoguePlanet on July 7, 2026, as part of its regular security updates. The company assigned it a severity rating of Important and noted that exploitation was less likely if the system was running a third-party antivirus (which disables Defender’s scanning engine). By the following week, proof-of-concept code had appeared publicly, and security firms reported active exploitation attempts.

The Malware Protection Engine update that delivered the fix—version 1.1.26060.3008—began rolling out automatically through the standard security intelligence channel. Because Defender checks for updates multiple times per day, the vast majority of online systems were protected within 24–48 hours.

Then, on July 14, Windows Report and other outlets published Nightmare-Eclipse’s findings about the disk-consumption bug. Microsoft has not yet confirmed the issue, and no CVE number has been assigned. The researcher is also investigating whether the attack can be delivered over WebDAV, which would make it much easier to launch from a web server rather than requiring a raw SMB share. So far, no working WebDAV proof of concept has been shared.

The Bigger Picture: Engine Updates vs. Monthly Patches

This episode highlights a blind spot in many organization’s update strategies. Defender’s Malware Protection Engine updates are not tied to Patch Tuesday or delivered through Windows Update in the traditional sense. They arrive via the Microsoft Malware Protection Center and are recorded in events under “Microsoft-Windows-Windows Defender/Operational” log with event ID 2000.

Teams that only verify cumulative update compliance can miss these changes entirely. As a result, a machine might appear fully patched while still running a vulnerable antivirus engine. Until Microsoft ships a corrected engine, the recommended version remains 1.1.26060.3008—even with its new quirk.

Outlook: A Correction Is Likely, but Don’t Wait for the Headlines

Microsoft moves quickly on engine-level flaws, especially when they affect a widely deployed component like Defender. A silent update that closes the ADS caching hole could drop within days, and it probably won’t come with a press release. Administrators should set a recurring check for engine version updates and resist the temptation to freeze their Defender deployments.

The researcher’s WebDAV investigation is worth tracking. If a remote HTTP-based attack method emerges, the severity equation shifts significantly for internet-facing systems. For now, though, the best posture is to stay current, lock down SMB, and let the automatic update mechanism do its work.

In the balance between a known SYSTEM-level takeover and an unconfirmed disk-fill attack with specific network prerequisites, the math favors the patch. Keep your engine version on 1.1.26060.3008, watch your free space, and wait for Microsoft’s next move.