Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656)

Microsoft has acknowledged the local elevation of privilege issue in Microsoft Defender that can be triggered via the “RoguePlanet” exploit, and is “working to provide a high quality security update that addresses this vulnerability.”

The vulnerability, which has been assigned the CVE-2026-50656 identifier, stems from improper link resolution before file access, and can be exploited in low complexity attacks by authenticated attackers, with no user interaction required.

Zero-day exploits by Nightmare Eclipse

RoguePlanet is one of the exploits released by Nightmare Eclipse, an unidentified security researcher who has been publishing exploits for zero-day vulnerabilities in Microsoft software since March 2026, apparently in retaliation for a dispute with the company.

The researcher previously published PoCs for several Microsoft zero-days, including:

• BlueHammer and RedSun (two Windows local privilege escalation vulnerabilities)
• UnDefend (a Microsoft Defender DoS flaw)
• YellowKey (a BitLocker bypass bug) and GreenPlasma (a privilege escalation vulnerability in Windows CTFMON)

Nightmare Eclipse released the RoguePlanet exploit on the same day as Microsoft shipped its June 2026 Patch Tuesday releases, which also brought fixes for the YellowKey and GreenPlasma issues.

RoguePlanet zero-day needs a patch (CVE-2026-50656)

RoguePlanet abuses a race condition in Windows Defender to spawn a command shell running with SYSTEM-level privileges, effectively allowing local privilege escalation.

The flaw affects fully patched Windows 10 and Windows 11 devices and, according to other researchers, works as described, even though Nightmare Eclipse acknowledged that it might not work every time since successful exploitation depends on winning a race condition.

“I have read many attempts to detect/block the PoC through signatures but none of them seem effective because small changes in the PoC can completely bypass your mitigations. The only thing you can realistically do is wait for a patch from Microsoft,” the researcher noted on Monday, and added that the PoC works regardless if Real-Time Protection is enabled or not on Microsoft Defender.

Microsoft did not say when they expect to push out a patch for CVE-2026-50656.

According to the information provided in the security advisory, Microsoft has not detected exploitation of the RoguePlanet bug in the wild. Still, the vendor has rated the vulnerability “Exploitation More Likely” according to its Exploitability Index.

Microsoft and vulnerability disclosure

Microsoft has not credited Nightmare Eclipse or anyone else for disclosing the flaw, which is not unexpected: the company advocates for coordinated vulnerability disclosure, and given Nightmare Eclipse’s persistent publication of zero-day exploits, the researcher has become a significant thorn in Microsoft’s side.

In late May, the Microsoft Security Response Center (MSRC) team commented on Nightmare Eclipse’s zero-day disclosures and stirred the ire of vulnerability researchers, due to the warning that its Digital Crimes Unit would pursue cases against those enabling “criminal activity” – a phrase many in the security community interpreted as a threat against legitimate vulnerability research.

The team later followed up with a clarification that “have no intention to pursue action against individuals conducting or publishing their security research.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!