Microsoft releases fix for RoguePlanet Defender flaw (CVE-2026-50656)
Microsoft has finally released a security update for its Microsoft Malware Protection Engine, which fixes CVE-2026-50656, the Windows Defender local privilege escalation vulnerability triggered by the RoguePlanet exploit.
The vulnerability and the fix
CVE-2026-50656 is due to improper link resolution before file access, affects Windows 10 and Windows 11, and may allow authenticated attackers to achieve SYSTEM-level privileges on vulnerable machines by launching low-complexity attacks.
The flaw’s existence was publicly revealed on June 10, hours after Microsoft released its monthly Patch Tuesday, by an unidentified security researcher that goes by “Nightmare Eclipse”.
Nightmare Eclipse published the RoguePlanet proof-of-concept exploit, which was then tested by other security researchers and found to be functioning.
It took Microsoft two weeks to acknowledge the flaw and a month in total to release a fix. According to Microsoft’s advisory, CVE-2026-50656 is not actively exploited, but the company assessed that it likely will be.
“Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats,” Microsoft explained.
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.”
Users and admins that have opted to keep this default configuration can check whether the fixed Microsoft Malware Protection Engine version (1.1.26060.3008) has been installed. Those that haven’t should trigger the update manually.
An ongoing feud with Microsoft
Nightmare Eclipse has been releasing proof-of-concept (PoC) exploits for previously undisclosed vulnerabilityes affecting the Windows operating system since March 2026, and giving them colorful names such as BlueHammer, RedSun, YellowKey, GreenPlasma, and UnDefend (among others).
Some of these exploits have already been used by attackers in the wild.
The researcher claims that they have been releasing the PoC exploits because Microsoft mishandled and dismissed their vulnerability reports, and deleted the Microsoft account they used to report the bugs.
Microsoft has not credited Nightmare Eclipse for any the publicly disclosed vulnerabilities.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
