Microsoft says it's hard at work on a patch for this worrying Defender zero-day

Microsoft confirms RoguePlanet as CVE‑2026‑50656, an elevation‑of‑privilege flaw in Defender’s Malware Protection Engine

Disclosed by Chaotic Eclipse as a race‑condition zero‑day granting SYSTEM privileges on fully patched Windows 10/11

Seventh exploit in their campaign; PoC validated by ThreatLocker, with Microsoft promising a fix despite ongoing feud

Microsoft has assigned a unique identifier for the recently-disclosed RoguePlanet vulnerability and confirmed it is now working on a fix.

"Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as 'RoguePlanet,' the company said in a recently disclosed security advisory.

"We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available."

Chaotic Eclipse's grudge

A security researcher with the alias Chaotic Eclipse recently disclosed a zero-day vulnerability in a fully patched Windows 11 device, just hours after Microsoft released its June Patch Tuesday cumulative update.

Chaotic Eclipse is waging a personal crusade against Microsoft, whom they’re accusing of being disrespectful and poorly handling vulnerability disclosures. RoguePlanet is the seventh zero-day exploit they disclosed in a matter of months. This bug, described as a “race condition vulnerability”, grants attackers SYSTEM privileges on fully patched Windows 10 and Windows 11 devices.

Before that, they also published BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend flaws. Some of them affect Microsoft Defender, and some BitLocker and other Windows components.

They published a Proof-of-Concept (PoC) exploit in a self-hosted Git, after saying that both GitHub and GitLab repositories hosting earlier work got removed by Microsoft.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," they explained. Security researchers ThreatLocker confirmed to the publication that the flaw works and even recorded a video to demonstrate how it works.

Microsoft now tracks RoguePlanet as CVE-2026-50656. Earlier it said it considered legal action when people engage in “malicious activity causing real harm to our customers”. Chaotic Eclipse seems unphased by these warnings, which some interpreted as threats.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.