Internet Voices

Windows Defender Patch Leads to Disk Exhaustion Vulnerability

A zero-day patch for Windows Defender released by Microsoft has introduced a new issue, potentially allowing attackers to fill hard drives.

4 min read Reviewed & edited by the SINGULISM Editorial Team

Windows Defender Patch Leads to Disk Exhaustion Vulnerability
Photo by Ed Hardie on Unsplash

Based on an article reported by Dan Goodin on Ars Technica, a zero-day vulnerability patch recently released by Microsoft for Windows Defender has inadvertently created a new security issue. While the patch addressed the original vulnerability, researchers have pointed out that the additional measures introduced as part of the defense mechanisms could be exploited by attackers.

The vulnerability, named “RoguePlanet” (CVE-2026-50656), was disclosed in June alongside the release of attack code by researcher NightmareEclipse. The vulnerability allowed remote attackers to gain administrative control over Windows 10 and Windows 11 systems, even when real-time protection was disabled. Microsoft announced on Wednesday that it had addressed the issue through an update to the Microsoft Malware Protection Engine, which is automatically downloaded and installed.

However, an analysis released on Thursday by NightmareEclipse uncovered that the “defense-in-depth” updates included in the patch have introduced a new issue. According to the researcher, the added code to enhance defense mechanisms caused a problem in mpengine.dll, leading to an 8-byte data leak when attempting to open files. Additionally, new features added to the cloud service “SpyNet” were found to be involved in large-scale file writing operations.

“Defender normally places hard limits on how big a file can be written to disk when scanning and quarantining a machine. ‘This implementation make [sic] sense because quarantining a huge file will cause Defender to completely exhaust the available disk space,’ the researcher wrote.

‘I found a small exception to this rule. Apparently, the SpyNet functions in mpengine.dll really want [sic] to keep a local copy of the Zone.Identifier ADS file, and it does not matter how big this file is; Windows Defender will cache it locally anyways.’”

Zone.Identifier is a hidden metadata file (alternate data stream) automatically associated by Windows with files downloaded from the internet or received from external sources, recording the origin of the file and the security zone to apply. NightmareEclipse stated that attackers could exploit this behavior using the Server Message Block (SMB) protocol.

As a result, Defender could write files of unlimited size to the disk, potentially filling up the hard drive completely. The researcher explained that while Defender usually sets size limits to prevent disk exhaustion when quarantining large files, an exception was found in the caching behavior for Zone.Identifier files.

This issue follows the previously reported disclosure of the privilege escalation vulnerability “RoguePlanet” in Microsoft Defender. Both vulnerabilities were discovered by the same researcher, and the ongoing conflict between Microsoft and the anonymous researcher remains unresolved.

Editorial Opinion

In the short term, organizations that have applied this patch should conduct a risk assessment immediately. The fact that attackers can use the SMB protocol to make Defender write files of any size to the disk is not merely a bug but a scenario where a defense mechanism has inadvertently expanded the attack surface. Microsoft must quickly release an additional fix, or administrators should consider temporarily disabling SpyNet-related features as a stopgap measure.

In the long term, this incident highlights the trade-offs associated with the increasing complexity of security products. While the principle of defense-in-depth is sound, the inability to fully verify the interactions between different layers can provide attackers with new vectors of exploitation. The fact that cloud-integration features like SpyNet triggered unforeseen local behaviors underscores the need to rethink the design philosophy of endpoint security products.

The editorial team poses a question: Was the disclosure process for this vulnerability handled appropriately, given the ongoing conflict between Microsoft and the anonymous researcher? The researcher chose to immediately publish the attack code, while Microsoft’s defensive measures appear to have inadvertently complicated the issue.

References

Frequently Asked Questions

What impact could this vulnerability have?
Attackers could exploit the SMB protocol to expand the size of Zone.Identifier files without limit, causing Windows Defender to consume excessive disk space and potentially exhaust the system's storage entirely. This bypasses the usual file size limitations applied during write operations.
What measures should users take?
Microsoft has not yet released an additional fix. Administrators are advised to evaluate the activation or deactivation of SpyNet features or reinforce access controls for file servers via SMB. However, disabling SpyNet might reduce cloud-based threat detection, so a balanced risk assessment is required.
Why did the researcher (NightmareEclipse) disclose the vulnerability?
The researcher has previously disclosed vulnerabilities in Microsoft products along with attack code, reportedly due to a serious conflict with the company. By bypassing the typical responsible disclosure process and immediately releasing exploit details, the researcher appears to be pressuring Microsoft to implement fixes.
Source: Ars Technica

Comments

← Back to Home