Researcher Claims Microsoft Defender Patch May Leak Data and Exhaust Disk Space

Recent updates to Microsoft’s Malware Protection Engine, aimed at addressing the RoguePlanet vulnerability (CVE-2026-50656), may have introduced new security and performance issues, according to security researcher Chaotic Eclipse.

The RoguePlanet flaw is a high-severity local privilege escalation vulnerability within the Microsoft Malware Protection Engine, the core component of Microsoft Defender responsible for scanning and remediation. Microsoft released a patch in engine version 1.1.26060.3008 to mitigate this issue, incorporating additional defense-in-depth measures.

Potential Data Leakage

Chaotic Eclipse reports that the recent mitigations may inadvertently cause an information disclosure issue. Specifically, when Defender processes certain files, it could leak eight bytes of data. While the researcher has not yet identified a method for standard users to access these bytes—current observations suggest the data is exposed only to drivers—this behavior has not been independently confirmed by Microsoft.

Disk Space Exhaustion Risk

More concerning is a potential denial-of-service scenario involving Defender’s handling of `Zone.Identifier` alternate data streams (ADS). These streams are Windows metadata that record a file’s origin or security zone, commonly associated with files downloaded from the internet or network locations.

According to the researcher’s analysis, Defender typically imposes size limits when scanning and quarantining files to prevent large objects from consuming all available storage. However, functions within `mpengine.dll` related to Microsoft’s Spynet cloud-protection framework reportedly retain local copies of `Zone.Identifier` data regardless of the stream’s size.

In a proof-of-concept demonstration, the researcher used a controlled SMB server to host a file with an oversized `Zone.Identifier` ADS. When Defender accessed this file, it attempted to read the associated ADS. The server maintained the SMB session without responding to subsequent read requests, causing Defender to wait indefinitely and retain disk space for the cached content. This process led to the affected Windows volume reaching zero free bytes, with Defender’s `MsMpEng.exe` repeatedly writing data and ultimately receiving `DISK FULL` errors.

The researcher reproduced this issue on Windows 11 version 25H2 and Windows Server 2025. While this condition does not cause a system crash, a fully consumed system drive can lead to significant operational problems, including application failures, service instability, update failures, and compromised endpoint protection operations.

These findings highlight the complexities and potential unintended consequences of security patches. Organizations should monitor their systems closely after applying updates and be prepared to address any emerging issues promptly. This situation underscores the importance of thorough testing and validation in the development and deployment of security updates to ensure they do not introduce new vulnerabilities or operational challenges.