Microsoft Patches RoguePlanet (CVE-2026-50656) Local Privilege Escalation in Defender
- CVE ID
- CVE-2026-50656
- CVSS Score
- N/A
- Affected Products
- Windows 10 and Windows 11 systems running vulnerable versions of the Microsoft Malware Protection Engine (mpengine.dll) prior to version 1.1.26060.3008
Overview
Microsoft has rolled out a crucial security update to address a local privilege escalation (LPE) vulnerability identified as CVE-2026-50656, affecting the Microsoft Malware Protection Engine (mpengine.dll), which powers Windows Defender and other Microsoft antimalware software. The flaw, publicly known as “RoguePlanet,” could allow an authenticated attacker to gain SYSTEM-level privileges on vulnerable Windows 10 and Windows 11 machines. The vulnerability was initially disclosed by a security researcher named “Nightmare Eclipse” (also known as “Chaotic Eclipse”) on June 10, 2026, shortly after Microsoft’s monthly Patch Tuesday, along with a functional proof-of-concept (PoC) exploit. While Microsoft assessed that CVE-2026-50656 was not actively exploited at the time of the patch release, the existence of a public PoC significantly elevated the urgency for remediation due to the high likelihood of future exploitation.
Technical Details
CVE-2026-50656 is described as a privilege escalation issue stemming from improper link resolution before file access within the Microsoft Malware Protection Engine. This race condition vulnerability could be abused by an authenticated, low-privilege attacker to spawn a shell with SYSTEM-level privileges. Achieving SYSTEM privileges grants an attacker the highest level of control over a Windows system, allowing them to execute arbitrary code, modify system configurations, and perform unauthorized actions with full administrative rights. The RoguePlanet exploit was demonstrated to work on up-to-date Windows 10 and Windows 11 systems, even with real-time protection enabled, highlighting its effectiveness against default security configurations. The vulnerability has been remediated in Microsoft Malware Protection Engine version 1.1.26060.3008.
Real-World Impact
The real-world impact of CVE-2026-50656, if exploited, is significant, as it provides a pathway for an attacker who has already gained initial access (e.g., through a phishing attack or another vulnerability) to elevate their privileges to the highest level on a compromised system. This LPE can serve as a critical component in a multi-stage attack, enabling threat actors to move laterally, deploy malware (including ransomware), exfiltrate sensitive data, or establish persistence within an organization’s network. For individual users, it could allow malicious software to gain full control over their computer without their knowledge. The existence of a public PoC exploit dramatically increases the risk, as it lowers the bar for less sophisticated attackers to leverage the vulnerability.
Threat Landscape
The researcher “Nightmare Eclipse” has a history of publicly disclosing PoC exploits for previously unpatched Windows vulnerabilities, often after what they claim are mishandled reports by Microsoft. This pattern has led to a series of vulnerabilities (e.g., BlueHammer, RedSun, YellowKey, GreenPlasma, UnDefend) being disclosed and subsequently patched by Microsoft, some of which have seen active exploitation in the wild. While CVE-2026-50656 was not actively exploited at the time of the patch, Microsoft’s assessment that it likely would be, combined with Nightmare Eclipse’s track record, underscored the urgency of the fix. This ongoing dynamic between researchers and vendors contributes to a constantly evolving threat landscape, where vulnerabilities can quickly transition from theoretical to actively exploited once public details and PoCs are available.
Remediation
Microsoft has addressed CVE-2026-50656 with a security update to the Microsoft Malware Protection Engine. For most users and enterprise deployments, the default configuration of Microsoft antimalware software ensures that malware definitions and the engine itself are kept up to date automatically. Therefore, in most cases, no specific customer action is required to install the update.
- Verify Update Status: Administrators and users should verify that their Microsoft Malware Protection Engine has been updated to version 1.1.26060.3008 or later. This can typically be checked within the security software’s interface or through system update logs.
- Manual Update (if necessary): If automatic updates are disabled or not functioning, users should trigger a manual update of their Microsoft antimalware software to ensure the patched engine version is installed.
- General Security Hygiene: While this patch resolves a specific LPE, it’s crucial to maintain overall strong security hygiene, including keeping operating systems and all software updated, using robust endpoint protection, and implementing least privilege principles to minimize the impact of any future vulnerabilities.
Related content
Microsoft Patches "RoguePlanet" Local Privilege Escalation in Defender
AdvisoryNightmare Eclipse Drops Unpatched 'LegacyHive' Windows Privilege Escalation Zero-Day
AdvisoryMicrosoft July 2026 Patch Tuesday Addresses Critical Zero-Days and Information Leaks
AdvisoryCISA Adds Four Actively Exploited Vulnerabilities, Including SonicWall and Microsoft…
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call