-
Microsoft has rolled out a fix for a nasty bug in Microsoft Defender. That bug could let attackers take over Windows computers completely, even fully updated ones.
-
This flaw, nicknamed RoguePlanet, lives inside the Malware Protection Engine, part of Defender that scans files to catch threats.
-
This security update is delivered via automatic engine updates by Defender, requiring no special steps from customers.
Microsoft just released a security update that’ll address a critical privilege escalation flaw in Microsoft Defender. This patch comes after several reports about the issue.
The flaw, referred to as “RoguePlanet,” is present in the Microsoft Malware Protection Engine. This engine is responsible for scanning files for malware and other suspicious activities.
In the bid to address the issue, Microsoft released version 1.1.26060.3008, which is the latest version of its Malware Protection Engine, plus other additional security enhancements.
The Flaw Could Grant Attackers Full Control of a System
RoguePlanet is a vulnerability that lets someone with limited access on a Windows computer boost their permissions all the way up to NT AUTHORITY\SYSTEM. That’s the highest permission level you can get on Windows.
If you obtain SYSTEM privileges, your power will not have limits in terms of control over the affected machine. The flaw follows a series of Microsoft Defender vulnerabilities that have required urgent fixes from the company.
There is no limit to what you can do on the compromised system – from installing any applications to changing security settings and creating additional admin accounts.
This bug occupies 7.8 on the CVSS scale. That’s a way of saying it’s a severe security problem. Microsoft said in its advisory that the issue is inside mpengine.dll, which controls how Defender scans files.
According to security researcher Chaotic Eclipse (or Nightmare-Eclipse), RoguePlanet vulnerability falls into the category of a race condition. Race condition vulnerabilities occur when there is an attempt at simultaneous access to one resource by several processes. This creates a narrow window where unexpected behavior can take place, and an attacker could gain access.
Due to that timing requirement, there’s no guarantee that the exploit will succeed every time. The researcher noted that success rates varied across systems. Some machines consistently achieved successful exploitation after repeated attempts.
Concerns Over Zero-Day Disclosure
One of the most worrying things about RoguePlanet was its timing. It surfaced just days after the release of Microsoft’s June 2026 Patch Tuesday. It reportedly worked against systems that were already fully up-to-date.
Notably, the expert mentioned that the exploit worked regardless of the status of Microsoft Defender’s real-time protection. This means that the problem was within the scanning engine of the product.
The company recognized the existence of the vulnerability shortly after its announcement. The company confirmed that it was developing a security update.
RoguePlanet is the latest in a series of Microsoft Defender vulnerabilities that Chaotic Eclipse disclosed in 2026. There were other exploit disclosures before RoguePlanet, including BlueHammer (CVE-2026-33825). There’s also UnDefend (CVE-2026-45498) and RedSun (CVE-2026-41091).
After their disclosures, Microsoft quickly fixed the problem. However, reporting the bugs made the researcher who disclosed them popular in the Windows security community. This research has published lots of proof-of-concept exploits targeting Microsoft’s security tools.
According to reports, there’s been some friction between Microsoft and this researcher. The disagreement is mostly about how best to disclose vulnerabilities and how to handle bug bounties. Moreso, it’s worth noting that Microsoft didn’t credit Chaotic Eclipse for finding CVE-2026-50656 in its advisory.
Users Should Already Receive the Fix
Unlike Windows cumulative updates, the RoguePlanet fix is delivered through Microsoft’s antimalware engine update mechanism. Microsoft said no customer action is required because Microsoft Defender automatically downloads updated malware definitions and engine files several times each day when connected to the internet.
Organizations using Microsoft Defender in enterprise environments also receive these updates through the standard update process. But that changes if the system administrator changes the default settings.
To patch this issue on your computer, users should make sure they have the latest Malware Protection version 1.1.26060.3008. The systems that have older engine versions can manually validate the updates of Defender.
The release closes one of the highest-profile Defender vulnerabilities disclosed this year. It also highlights Microsoft’s continued reliance on frequent engine updates to rapidly respond to newly discovered security threats.