Microsoft has addressed a critical vulnerability in its Defender antivirus software, known as RoguePlanet, by releasing a security update. This flaw, identified as CVE-2026-50656 with a CVSS score of 7.8, is a privilege escalation issue within the Microsoft Malware Protection Engine (mpengine.dll), which is integral to Defender’s scanning and threat detection capabilities.
The vulnerability was initially disclosed by a security researcher operating under the pseudonym Chaotic Eclipse, who described it as a race condition that could be exploited to gain SYSTEM-level privileges. This level of access would allow attackers to execute arbitrary code and perform unauthorized actions on affected systems. Notably, the exploit was effective on Windows 10 and 11 systems that had the June 2026 Patch Tuesday updates installed, indicating that even fully updated machines were susceptible.
Microsoft’s remediation efforts have culminated in the release of Microsoft Malware Protection Engine version 1.1.26060.3008. This update not only resolves the RoguePlanet vulnerability but also includes defense-in-depth enhancements to bolster the engine’s security features. Importantly, Microsoft has stated that no manual action is required from users to apply this update, as the Malware Protection Engine is designed to update automatically, ensuring that systems are protected against emerging threats without user intervention.
RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have been patched by Microsoft. Despite the critical nature of these disclosures, Microsoft has not officially credited Chaotic Eclipse for the discovery of RoguePlanet.
This series of vulnerabilities underscores the importance of timely and coordinated vulnerability disclosure. While independent researchers play a crucial role in identifying and reporting security flaws, the lack of official recognition can lead to tensions between researchers and corporations. For users, this incident highlights the necessity of ensuring that automatic updates are enabled and functioning correctly, as they serve as a primary defense mechanism against rapidly evolving security threats.