Microsoft delivered Malware Protection Engine version 1.1.26060.3008 on July 14, 2026, sealing the notorious RoguePlanet vulnerability. But the same update has a dangerous side effect: a new, unpatched flaw that lets attackers silently consume every byte of free storage on a Windows PC.

The bug, disclosed by the anonymous researcher Nightmare-Eclipse who also found RoguePlanet, means that connecting to a malicious file server can cause Microsoft Defender to cache an enormous file until the drive is completely full. No official fix exists yet, and Microsoft has not publicly acknowledged the issue.

The Unintended Consequence of a Critical Patch

RoguePlanet (CVE-2026-50656) was a privilege-escalation hole in Defender’s engine that could hand SYSTEM‑level control to an attacker. Microsoft’s fix—engine version 1.1.26060.3008, pushed automatically through security intelligence updates—closed that door. The previous vulnerable build was 1.1.26050.11.

Nightmare-Eclipse, after reverse-engineering the updated mpengine.dll, found that the patched code still trusts one file‑handling path without the usual size limits. Defender normally caps the data it will scan or quarantine from untrusted sources, a safeguard critical for an engine that inspects files from the wild. But that limit vanishes when the engine processes a Zone.Identifier alternate data stream (ADS).

Zone.Identifier is an NTFS metadata stream that Windows attaches to downloaded files as the “Mark of the Web,” flagging content from outside the local machine. Defender’s cloud‑protection system (SpyNet) reportedly tries to retain a local copy of this stream regardless of its size. Nightmare-Eclipse crafted a proof of concept that places a suspicious file and an intentionally oversized Zone.Identifier stream on an attacker‑controlled SMB server. When a Windows machine browses that share, Defender begins caching the stream locally. By hanging the read operation at a strategic moment, the server keeps Defender stuck with the cached file open, and the cache can grow without check until the disk is full.

This is not an instant blue‑screen condition, but the practical effect is catastrophic. Windows and its applications depend on free space for temporary files, databases, logs, updates, paging, and service state. Once the system drive hits zero free bytes, applications crash, services fail, and administrators may lose remote management paths.

Who Is Affected and How Bad Is It?

The attack requires the target to connect to a specially crafted SMB server. That significantly limits the risk for the average home user; browsing the web or opening email won’t trigger it. Outbound SMB traffic (TCP port 445) is already blocked by most ISPs and firewalls, a longstanding best practice.

Environments that allow internal SMB traffic face a different calculus. Corporate networks routinely rely on SMB for file shares, software distribution, storage appliances, and administrative workflows. An attacker who has already gained a foothold inside the network could spin up a malicious SMB server in a location that endpoints are allowed to reach. From there, any Windows 11 25H2 or Windows Server 2025 machine that accesses the share could have its drive exhausted.

Nightmare-Eclipse reproduced the behavior on both Windows 11 25H2 and Windows Server 2025. Public evidence does not yet confirm whether Windows 10, earlier Windows 11 releases, other supported Server versions, or other Microsoft security products that share the same engine are affected. The researcher is also probing a possible WebDAV variant, though this remains an untested theory.

The Road to This Mess

RoguePlanet was the star of June’s security drama. Discovered by Nightmare-Eclipse, it allowed any standard user account to escalate to NT AUTHORITY\SYSTEM—the highest privilege on a Windows box—via a race condition in the Malware Protection Engine. Microsoft acknowledged the zero‑day and shipped engine 1.1.26060.3008 to close the hole.

During the analysis of that fix, Nightmare-Eclipse spotted the disk‑exhaustion path and published a working demonstration. As of July 14, 2026, Microsoft had not commented on the follow‑on bug. It is unclear whether the vulnerable ADS‑caching behavior was freshly added by the RoguePlanet mitigations, was present in earlier versions, or simply came to light because the researcher was scrutinizing the updated code. What is clear: the original SYSTEM escalation is patched, while a separate denial‑of‑service risk now rides along inside the same engine.

What You Should Do Right Now

The worst response would be to disable Defender or roll back the patch, because that would restore a publicly documented privilege‑escalation vulnerability. Instead, focus on limiting the one attack vector that the new bug needs.

  • Block outbound SMB traffic to untrusted networks and the public internet—especially TCP port 445—on both endpoint and network firewalls. This has been a security best practice for years.
  • Restrict internal SMB access so workstations can connect only to approved file servers. Broad east‑west SMB connectivity is a risk multiplier.
  • Monitor disk space with alerts for sudden free‑space loss and unusual sustained disk activity linked to MsMpEng.exe. On Windows Server 2025, a full system volume can take down multiple workloads at once.
  • Verify engine versions to ensure every endpoint is running Malware Protection Engine 1.1.26060.3008 or newer. Keeping RoguePlanet patched is non‑negotiable.
  • Maintain tested backups and out‑of‑band administrative access that do not depend on free space remaining on the affected system drive. If a machine locks up, you still need a way to recover it.

No Microsoft KB number, CVE identifier, or official workaround exists for the disk‑exhaustion issue yet. The next meaningful event will be either a Microsoft acknowledgement or a newer engine build that explicitly changes how Zone.Identifier ADS is cached. In the meantime, balance two facts: the current Defender update closes a SYSTEM‑level hole, but untrusted SMB access can abuse that update to fill your drives. Block SMB where you can, monitor relentlessly, and wait for a proper fix.