for any dev-kitchen
Microsoft Defender Patch Reportedly Opens the Door to a Windows Disk-Filling Attack
A recently released Microsoft Defender security update successfully fixed a serious Windows vulnerability, but a security researcher says the changes may have introduced another unexpected problem.
A recently released Microsoft Defender security update successfully fixed a serious Windows vulnerability, but a security researcher says the changes may have introduced another unexpected problem.
The newly reported issue could potentially be abused to consume nearly all available storage space on an affected Windows PC. If successfully triggered, the system drive could become completely full, causing applications to stop working properly and leaving Windows unstable or difficult to use.
The finding is connected to Microsoft’s patch for a previously disclosed Defender vulnerability known as RoguePlanet, which is tracked as CVE-2026-50656.
What Was RoguePlanet?
RoguePlanet was an elevation-of-privilege vulnerability affecting the Microsoft Malware Protection Engine, the core scanning technology used by Microsoft Defender.
The flaw involved how Defender handled certain files during scanning. An attacker who already had access to a standard Windows account could potentially exploit the bug to gain SYSTEM-level privileges, the highest level of control available in Windows.
With SYSTEM access, an attacker could potentially install programs, modify protected files, disable security controls or take broader control of the affected computer.
Microsoft addressed the original vulnerability by releasing Malware Protection Engine version 1.1.26060.3008. Older versions, including version 1.1.26050.11, were identified as vulnerable.
The updated engine is distributed automatically through Microsoft Defender’s regular update system, meaning most Windows 10 and Windows 11 computers should receive it without requiring a separate manual installation.
Researcher Finds a New Problem After Studying the Patch
After Microsoft released the RoguePlanet fix, security researcher Nightmare-Eclipse examined the updated Defender engine to understand how the vulnerability had been corrected.
During that analysis, the researcher reported finding a different issue involving the way Microsoft Defender caches certain file information.
Defender normally places limits on the size of files it scans or quarantines. Those safeguards are intended to prevent the antivirus engine from consuming excessive amounts of storage while processing unusually large or malicious files.
However, the researcher claims those limits may not apply correctly to cached Zone.Identifier alternate data streams.
A Zone.Identifier is metadata that Windows may attach to downloaded files. It helps the operating system determine whether a file originated from the internet, another computer or a potentially untrusted location.
Alternate data streams allow Windows to store this additional information alongside a file without displaying it as a separate file in File Explorer.
How the Disk-Filling Technique Reportedly Works
According to the researcher’s proof of concept, an attacker could operate a specially configured Server Message Block, or SMB, server containing a maliciously prepared file.
The file would be accompanied by an abnormally large Zone.Identifier data stream.
When Microsoft Defender attempts to inspect the file, the attacker-controlled server could intentionally delay or stall parts of the transfer while keeping the network connection active.
This reportedly causes Defender to keep temporary cached data open instead of deleting it normally. As more data is written, the cached content can continue growing until most or all of the computer’s remaining storage is consumed.
From the user’s perspective, the system drive could suddenly appear full even though they did not intentionally download a large file.
A full Windows drive can cause a wide range of problems. Applications may fail to save data, Windows Update may stop working, temporary files may not be created and the operating system may become slow or unresponsive.
Windows 11 and Windows Server Were Reportedly Tested
The researcher says the behavior was reproduced on Windows 11 version 25H2 and Windows Server 2025.
Research is also reportedly underway to determine whether a similar technique could work through WebDAV. Unlike the current proof of concept, which relies on access to an SMB server, a WebDAV-based version could potentially make remote delivery easier in certain situations.
However, this remains under investigation, and there is currently no public evidence showing that the disk-exhaustion technique is being actively used in real-world attacks.
The attack also appears more complicated than simply visiting a normal webpage or opening an ordinary document. It requires specially prepared infrastructure and carefully controlled network behavior.
The New Finding Is Separate From the Original Vulnerability
It is important not to confuse the two security issues.
The original RoguePlanet vulnerability allowed a local attacker to try to elevate their Windows privileges to SYSTEM. Microsoft has released an updated Defender engine designed to block that attack.
The newly reported disk-filling behavior is a separate weakness discovered while examining the updated engine. It does not mean that Microsoft failed to patch RoguePlanet itself.
At the time of publication, Microsoft has not publicly confirmed the reported disk-exhaustion issue or announced a separate update specifically addressing it.
For that reason, the latest finding should currently be treated as an independently reported security concern rather than a fully documented Microsoft vulnerability.
Another Possible Information Leak Was Identified
The researcher also reported a small information leak connected to Microsoft’s defense-in-depth changes.
Under certain conditions, the updated Defender engine may reportedly expose eight bytes of data while attempting to access a file.
For now, the researcher says the leaked information can only be observed from kernel-level drivers and has not been successfully accessed by an ordinary user-level application.
That limitation makes the issue less immediately useful to attackers, although further investigation is continuing.
Should Windows Users Remove the Defender Update?
Users should not uninstall or block the latest Microsoft Defender engine update.
The update protects Windows systems from the original RoguePlanet privilege-escalation vulnerability, which could give an attacker extremely powerful access to a compromised computer.
Removing the update or preventing Defender from receiving new engine versions could leave a PC exposed to the already documented security flaw and other newly discovered threats.
The safer approach is to keep Microsoft Defender, Windows Update and automatic security intelligence updates enabled.
Users and administrators should also avoid connecting to unknown SMB shares, opening suspicious network files or accessing servers provided through untrusted messages.
How to Check the Microsoft Defender Engine Version
Windows users can check which Defender engine is installed through the Windows Security application.
Open Windows Security, select Virus & threat protection, and look for the section containing protection or security intelligence update information. The installed engine version can also be viewed from the application’s About page.
Systems should be running Microsoft Malware Protection Engine version 1.1.26060.3008 or newer to receive protection against the original RoguePlanet vulnerability.
Because Defender engine updates are normally installed automatically, many users may already have a newer version.
Microsoft May Need to Investigate Further
The researcher’s work shows how difficult it can be to patch complex security software without creating unexpected side effects.
Antivirus engines operate with deep access to the operating system and must inspect files from many different sources, including local drives, downloads and network locations. Even a small weakness in how temporary data is handled can potentially lead to resource-exhaustion problems.
Microsoft has not announced whether it is investigating the latest report. Until the company responds, it remains unclear whether the behavior will receive its own CVE number or be corrected through another Defender engine update.
For most users, the immediate advice remains unchanged: keep Defender fully updated, avoid untrusted network resources and watch for unusual changes in available disk space.


