CVE: CVE-2026-50656 | CVSS 3.1: 7.8 (High) | Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-362 (Race Condition) | Vendor: Microsoft | Product: Microsoft Malware Protection Engine (mpengine.dll) / Microsoft Defender | Affected versions: Prior to version 1.1.26060.3008
What Is the Vulnerability
CVE-2026-50656, dubbed ‘RoguePlanet’, is a privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll), the core scanning engine used by Microsoft Defender Antivirus and related security products. The vulnerability is a race condition that an attacker can abuse to spawn a shell with SYSTEM-level privileges. The exploit has been found to work on systems running up-to-date versions of Windows with Microsoft Defender enabled. The flaw was first publicly disclosed by security researcher Chaotic Eclipse (aka Nightmare-Eclipse) approximately one month before Microsoft released patches.
Versions Affected
- Microsoft Malware Protection Engine (mpengine.dll) — versions prior to 1.1.26060.3008
The Malware Protection Engine is a core component of Microsoft Defender and ships with all supported versions of Windows where Defender is enabled.
Exploited?
No confirmed exploitation in the wild at time of Microsoft’s patch release. However, the vulnerability details and exploit methodology were publicly available for approximately one month before Microsoft released the fix, creating a significant window of exposure.
Fix
Microsoft has released security updates in Microsoft Malware Protection Engine version 1.1.26060.3008, along with defense-in-depth updates to harden unspecified security-related features.
- Primary fix: The Malware Protection Engine updates automatically via Windows Update. Verify the installed version is 1.1.26060.3008 or later.
Recommendations
- Ensure Windows Update is current: The fix is delivered through the Malware Protection Engine’s automatic update mechanism.
- Verify engine version: Check that mpengine.dll version is 1.1.26060.3008 or later.
- No configuration changes required: The fix is applied automatically through standard update channels.
References
- The Hacker News: RoguePlanet
- NVD Entry for CVE-2026-50656
- Microsoft Security Response Center
Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.
