CVE-2026-50656 “RoguePlanet”: Microsoft Defender Malware Protection Engine Privilege Escalation to SYSTEM — Patched After Month-Long Disclosure

CVE-2026-50656 “RoguePlanet”: Microsoft Defender Malware Protection Engine Privilege Escalation to SYSTEM — Patched After Month-Long Disclosure

CVE: CVE-2026-50656 | CVSS 3.1: 7.8 (High) | Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-362 (Race Condition) | Vendor: Microsoft | Product: Microsoft Malware Protection Engine (mpengine.dll) / Microsoft Defender | Affected versions: Prior to version 1.1.26060.3008


What Is the Vulnerability

CVE-2026-50656, dubbed ‘RoguePlanet’, is a privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll), the core scanning engine used by Microsoft Defender Antivirus and related security products. The vulnerability is a race condition that an attacker can abuse to spawn a shell with SYSTEM-level privileges. The exploit has been found to work on systems running up-to-date versions of Windows with Microsoft Defender enabled. The flaw was first publicly disclosed by security researcher Chaotic Eclipse (aka Nightmare-Eclipse) approximately one month before Microsoft released patches.


Versions Affected

  • Microsoft Malware Protection Engine (mpengine.dll) — versions prior to 1.1.26060.3008

The Malware Protection Engine is a core component of Microsoft Defender and ships with all supported versions of Windows where Defender is enabled.


Exploited?

No confirmed exploitation in the wild at time of Microsoft’s patch release. However, the vulnerability details and exploit methodology were publicly available for approximately one month before Microsoft released the fix, creating a significant window of exposure.


Fix

Microsoft has released security updates in Microsoft Malware Protection Engine version 1.1.26060.3008, along with defense-in-depth updates to harden unspecified security-related features.

  • Primary fix: The Malware Protection Engine updates automatically via Windows Update. Verify the installed version is 1.1.26060.3008 or later.

Recommendations

  • Ensure Windows Update is current: The fix is delivered through the Malware Protection Engine’s automatic update mechanism.
  • Verify engine version: Check that mpengine.dll version is 1.1.26060.3008 or later.
  • No configuration changes required: The fix is applied automatically through standard update channels.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!