Privilege Escalation Vulnerability in Microsoft Defender "RoguePlanet" Made Public
Microsoft has acknowledged the Defender vulnerability CVE-2026-50656, exploiting a race condition to gain System privileges. CVSS 7.8, PoC released. No patch provided yet.
Microsoft published an advisory on June 17 acknowledging a zero-day vulnerability in its built-in security software, Microsoft Defender. The report was initially shared by SecurityWeek.
The vulnerability, named “RoguePlanet,” has been registered under the tracking number CVE-2026-50656 and carries a CVSS score of 7.8 (Important). Security researcher Nightmare Eclipse (alternatively known as Chaotic Eclipse) disclosed the issue last week.
According to the researcher, RoguePlanet targets a race condition in Microsoft Defender, enabling attackers to obtain System-level privileges. A proof-of-concept (PoC) exploit code has been released, demonstrating local privilege escalation (LPE) on systems running Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates applied.
Microsoft stated in its advisory: “We are actively working to deliver a high-quality security update to address this vulnerability. Once an update is available, information will be added to this CVE.” However, no timeline for the patch release has been disclosed.
Details of the Vulnerability
The race condition exploited by RoguePlanet arises during the scanning process in Defender when there is a slight delay in timing. Typically, Defender monitors files in real-time for malware detection and performs privileged operations on specific actions. During this process, there are brief moments when access permissions to resources temporarily switch. Attackers capitalize on this window to escalate privileges.
Notably, Nightmare Eclipse pointed out on June 17 that the PoC exploit operates irrespective of whether Defender’s real-time protection is enabled or disabled. Additionally, the researcher suggested that the exploit might even function in passive mode (a mode where Defender only detects threats without taking direct action). This implies that disabling Defender may not be sufficient as a defense mechanism.
While the CVSS score of 7.8 classifies the vulnerability as “Important,” exploitation requires local access, making remote attacks impossible. However, once an attacker gains basic user-level access to a system, they could leverage this vulnerability to elevate their privileges and potentially compromise the entire system.
Affected Systems
This vulnerability impacts systems running Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed. For Windows 11, all editions, including the latest major update version 24H2, are affected. For Windows 10, version 22H2 is impacted. Currently, there is no confirmation regarding the impact on Windows Server operating systems.
Defender is a standard security solution integrated into Windows. In enterprise environments, it is often used in passive mode alongside third-party antivirus software. As noted above, the potential impact in passive mode is a significant concern for many organizations.
Significance of PoC Disclosure
Nightmare Eclipse documented the vulnerability in detail and released the PoC code. This practice often sparks debate within the security research community. While releasing a PoC increases awareness of the vulnerability and may prompt Microsoft to act quickly to issue a fix, it also raises the risk that malicious actors will exploit it for attacks.
Until Microsoft provides a patch, users remain exposed to potential attacks leveraging this vulnerability.
Editorial Opinion
In the short term, the impact of this vulnerability may be limited, as exploitation requires local access, ruling out remote attacks. However, the risk of “privilege escalation chaining,” where attackers first gain basic user access through other means and then use this vulnerability for escalation, cannot be ignored. Corporate security teams should remain vigilant about the potential impact, regardless of Defender’s operational mode, and closely monitor Microsoft’s patch updates.
From a long-term perspective, this case highlights the paradox of security software itself harboring vulnerabilities. As Defender is deeply integrated into the OS core, its flaws have far-reaching implications. The difficulty in detecting and preventing race conditions during the development of security software is a significant issue. Moreover, the practice of responsibly disclosing vulnerabilities followed by PoC publication is likely to continue sparking debate within the industry.
The editorial team is particularly focused on the speed and quality of Microsoft’s patch rollout and the reinforcement of defenses against race conditions in the future.
References
- Microsoft Working To Patch ‘RoguePlanet’ Zero-Day — Published on 2026-06-17
- Related reporting by SecurityWeek (via Slashdot)
Frequently Asked Questions
- How is the RoguePlanet vulnerability exploited?
- RoguePlanet exploits a race condition in Microsoft Defender. During file scanning, there are brief moments when special privileges are switched. Attackers intervene during these moments to elevate their access privileges. Local access is required, and attackers must already have basic user privileges.
- Which versions of Windows are affected?
- Systems running Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates are affected. For Windows 11, all editions, including version 24H2, are impacted. For Windows 10, version 22H2 is affected. No confirmation has been provided regarding Windows Server systems.
- How can users protect themselves?
- Until Microsoft releases a patch, there is no definitive solution. Disabling Defender’s real-time protection is ineffective against this vulnerability. Users should focus on strengthening other security measures, such as adhering to the principle of least privilege, removing unnecessary accounts, and implementing network segmentation.
Comments