Microsoft's Fix for Windows Defender Zero-Day Might Accidentally Fill Your Hard Drive, Researcher Says
Microsoft's patch for a Windows Defender zero-day might accidentally let attackers fill your hard drive, because fixing one bug apparently requires creating another.
Microsoft's Wednesday patch for a zero-day vulnerability in its Defender security engine may have a side effect: it could fill your hard drive with massive files, according to the researcher who discovered the original flaw.
The vulnerability, tracked as CVE-2026-50656 and dubbed RoguePlanet, was disclosed in June by a pseudonymous researcher known as NightmareEclipse, who also published exploit code. The flaw allows remote attackers to gain administrative control of Windows 10 and Windows 11 machines, even with real-time protection disabled. Microsoft's patch updates the Microsoft Malware Protection Engine used by Defender, and includes "defense-in-depth updates" to improve security.
But in a Thursday post, NightmareEclipse said these mitigations introduce a new problem: the driver mpengine.dll can leak 8 bytes of data when opening a file, and combined with SpyNet cloud service functionality, may cause Defender to write massive amounts of data to disk, exhausting available space. Normally, Defender limits file sizes during scanning and quarantining, but the researcher found an exception involving Zone.Identifier files - hidden metadata Windows attaches to downloaded files.
To exploit this, an attacker would need a custom SMB server that serves a malicious file (like mimikatz) followed by a massive ADS file (e.g., mimikatz.exe:Zone.Identifier). By never completing read requests but keeping the connection alive, Defender hangs and locks the file, consuming disk space. While this won't crash the machine, a full disk causes apps and services to crash randomly.
Microsoft did not immediately confirm the behavior. The dispute between NightmareEclipse and Microsoft dates back to at least May, when the researcher claimed Microsoft silently patched a vulnerability they reported. Since then, the researcher has released details and exploit code for several flaws before Microsoft could patch them. Microsoft has criticized the disclosures as irresponsible and hinted at legal action, but backed down after public backlash. Thursday's revelation suggests the feud continues.
The Good Times
News in your inbox.
One sardonic roundup, delivered on your schedule. Free. Unsubscribe whenever your tolerance for wit runs out.
Already subscribed but we never reach your inbox? Check your spam folder and hit 'Not spam' (or 'Remove from spam') to bust us out of junk-mail purgatory. You'll be helping everyone else too.
Rewrite Article
Select parts to regenerate with a fresh AI pass. Translations will be updated automatically.
Generate AI Image
Creates a sardonic version of the article image using OpenAI.