A Windows Defender patch released by Microsoft on Wednesday was supposed to close the door on a serious zero-day vulnerability. Instead, it may have opened a window — one that lets attackers write unlimited data to a victim’s hard drive until the disk is completely full. That’s the warning from NightmareEclipse, the pseudonymous researcher who first uncovered the flaw and has been watching Microsoft’s response closely ever since.
- The Windows Defender patch for CVE-2026-50656 introduced a new flaw that may let attackers write unlimited data to disk.
- The Windows Defender patch affects mpengine.dll, causing an 8-byte data leak each time the engine attempts to open a file.
- Researcher NightmareEclipse discovered that SpyNet integration bypasses Defender’s normal file-size limits during quarantine operations.
- Microsoft’s fix auto-installs via the Malware Protection Engine update, meaning millions of machines received the flawed patch automatically.
Table of Contents
What the Windows Defender Patch Was Supposed to Fix
The underlying vulnerability, tracked as CVE-2026-50656 and nicknamed RoguePlanet, came to light in June when NightmareEclipse publicly disclosed it along with working exploit code. The flaw sits inside Windows Defender’s core engine and is serious by any measure: it allows a remote attacker to gain administrative control of Windows 10 and Windows 11 machines, even in cases where the user has manually disabled real-time protection. That last detail is particularly uncomfortable — it means the people who turned off Defender believing they had more control over their own system were actually just as exposed as everyone else.
This isn’t the first time NightmareEclipse has put Microsoft on the back foot. Over the past several months, the researcher has released a string of zero-days targeting Windows components, each one forcing Microsoft’s security teams to work against the clock. RoguePlanet appears to be the most consequential of the bunch, at least in terms of the scramble it provoked.

Microsoft’s fix arrived as an update to the Microsoft Malware Protection Engine — the underlying component that powers Defender’s antivirus scanning. Updates to this engine deploy silently and automatically, which is normally a good thing. It means security fixes reach users without requiring any manual intervention. In this case, though, it also means that whatever problems the Windows Defender patch introduced were pushed out to millions of machines before anyone had a chance to fully audit the changes.
The New Problem Hiding in the Windows Defender Patch
Microsoft’s Wednesday advisory mentioned that, alongside the core fix, the update includes what it called “defense-in-depth updates to help improve security-related features.” That phrase, which Microsoft uses to describe supplementary hardening measures that don’t address a specific named vulnerability, is usually benign. This time, according to NightmareEclipse, it’s anything but.
In a post published Thursday, the researcher outlined how the new defense-in-depth additions create a potential denial-of-service condition. The issue lives inside mpengine.dll, the driver file at the heart of the Microsoft Malware Protection Engine. Under certain conditions, the updated driver leaks 8 bytes of data each time it attempts to open a file. On its own, 8 bytes sounds trivial. But that’s not where the story ends.
The more significant problem involves SpyNet, Microsoft’s cloud telemetry service that allows Defender — along with older products like Microsoft Security Essentials and Forefront Endpoint Protection — to send reports about suspicious files and programs back to Microsoft’s servers. SpyNet is designed to help Microsoft identify new malware strains quickly by crowdsourcing behavioural data from endpoints around the world. The service is deeply integrated into mpengine.dll, and that integration is where things get messy.
Why Defender’s File-Size Limits No Longer Apply
Under normal operation, Windows Defender enforces strict size limits on files it writes to disk during the scanning and quarantine process. This is intentional and sensible design. As NightmareEclipse explained in their post, this implementation make [sic] sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space. The engineers who built this safeguard clearly understood the risk.
The Windows Defender patch, however, introduced a gap in those protections. The SpyNet-related functions inside mpengine.dll want to keep a local cache of something called a Zone.Identifier Alternate Data Stream — a small metadata file that Windows uses to track where a downloaded file came from. The problem is that these SpyNet functions don’t honour the same file-size constraints that the rest of Defender does. As NightmareEclipse put it: “it does not matter how big this file is, Windows Defender will cache it locally anyways.”
In practice, that means an attacker who can present Defender with a sufficiently large file — or craft a scenario that generates one — could trigger the engine to write that data to disk with no upper bound on size. Keep going long enough, and the drive fills up entirely. A full disk on a Windows machine can cause applications to crash, logs to stop recording, and in some configurations, the operating system itself to become unstable or unbootable.
The Wider Problem with Patching at Scale
What this episode highlights is a tension that Microsoft — and frankly, every major platform vendor — has never fully resolved. Shipping security updates fast is critical. In the time between a vulnerability being disclosed publicly and a patch reaching users, every unpatched machine is a potential victim. Microsoft’s decision to push Malware Protection Engine updates silently and automatically is the right call in principle. Speed matters when exploit code is already public.
But speed without rigorous post-patch validation has its own costs. A Windows Defender patch that introduces a new attack surface — even a different class of attack — isn’t a clean win. It’s a trade-off that users and enterprise IT teams didn’t get a say in, because the update was already on their machines by the time the problem was identified.
For enterprise environments, the consequences of a disk-exhaustion attack are worth taking seriously. Servers and workstations with limited storage headroom are particularly vulnerable. Security information and event management systems — the tools that write logs continuously — would be among the first casualties of a full disk. An attacker who can silence a company’s logging infrastructure buys themselves valuable time to move laterally without being recorded.
NightmareEclipse’s track record suggests this won’t be the last time Microsoft finds itself reacting to their disclosures. The researcher’s pattern — public disclosure with working exploits — puts real-world pressure on patch timelines in ways that responsible disclosure to vendors privately simply doesn’t. Whether that approach is ethically defensible is a debate that the security community has been having for years without resolution. What’s not debatable is that it works as a forcing function. Microsoft moves faster when exploit code is already in the wild.
For now, there’s no official guidance from Microsoft on how to mitigate the disk-fill behaviour that the Windows Defender patch introduced while a follow-up fix is prepared. Users and administrators would be wise to monitor available disk space on Windows machines — particularly those running Defender with SpyNet reporting enabled — until Microsoft clarifies its next steps.
Source: Ars Technica

