Skip to content
feed: live
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-50656

Microsoft Defender Malware Protection Engine race-condition EoP ('RoguePlanet')

Race-condition EoP in the Microsoft Malware Protection Engine (Defender) that lets a local user reach SYSTEM. Fixed in engine build 1.1.26060.3008. Public PoC.

cat cve-2026-50656.json
Vendor
Microsoft
Product
Microsoft Malware Protection Engine (versions 1.1.0.0 through 1.1.26060.3008 — shipped with Microsoft Defender on Windows 10, Windows 11, Windows Server, and Microsoft Defender for Endpoint on Server)
CVSS
7.8
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-50656, publicly named RoguePlanet, is a race condition in the Microsoft Malware Protection Engine — the shared component that runs Defender’s real-time scans on Windows 10, Windows 11, and Windows Server. Under normal operation a scan runs as SYSTEM against files the engine picks up from disk; the race window lets a local unprivileged user get an attacker-controlled action fired as SYSTEM, producing code execution as SYSTEM from a low-privileged account.

Microsoft published the advisory on 2026-07-09 and shipped the fix in Malware Protection Engine build 1.1.26060.3008. Anything from 1.1.0.0 through 1.1.26060.3008 is vulnerable per NVD’s product entry. The engine updates on Microsoft’s automatic Defender definition channel and should reach most fleets within 24-48 hours of publish; hosts that are behind on Windows Update, air-gapped, or pinned to non-default definition sources are where this lingers.

Microsoft’s CNA rates the flaw CVSS 7.8 (high) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. NVD’s independent scoring is CVSS 7.0 (high), differing only on attack complexity. Either way it is a serious local privilege escalation, not a remote one.

The researcher who disclosed it, working under the handle “Nightmare Eclipse,” published a proof-of-concept in a public Git repository at disclosure — NVD’s reference to the repo carries the “Product” tag. Microsoft’s advisory does not currently mark exploitation as detected in the wild, and CISA has not added CVE-2026-50656 to KEV as of publication.

See the full write-up for verification steps and fleet-prioritization guidance.