A new Microsoft Defender update could allow hackers to completely exhaust the disk space on Windows 11 PCs.



Security researchers have discovered a vulnerability in Microsoft Defender that could cause it to excessively consume device storage.

NightmareEclipse/LegacyHive: N/A - LegacyHive - Project NightCrawler

https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive

New Microsoft Defender update can let hackers totally fill your Windows 11 PC disk space - Neowin
https://www.neowin.net/news/new-microsoft-defender-update-can-let-hackers-totally-fill-your-windows-11-pc-disk-space/

This vulnerability is related to 'RoguePlanet,' discovered by security researchers operating under the name Nightmare Eclipse. RoguePlanet is a vulnerability that could allow for privilege escalation by exploiting a flaw in Microsoft Defender's protection feature, 'Malware Protection Engine (mpengine.dll).'

Microsoft Defender's new zero-day vulnerability, 'RoguePlanet,' can still be exploited even after all Windows Update patches from June 10, 2026 have been applied - GIGAZINE



Microsoft has fixed this vulnerability by updating to version 1.1.26060.3008. However, according to Nightmare Eclipse, another problem has arisen after the fix.

Normally, Microsoft Defender limits the size of files it scans and quarantines to prevent excessive storage consumption. However, according to Nightmare Eclipse, this limit does not apply to cached alternate data streams (ADS) called Zone.Identifiers, making it technically possible to write extremely large caches to disk to Microsoft Defender.



Nightmare Eclipse's proof-of-concept shows that by placing a file and a specially crafted, massive Zone.Identifier ADS on a malicious custom SMB server, and maintaining an SMB session while intentionally stopping certain read operations, Microsoft Defender will continue to hold onto the cached file instead of deleting it. As a result, disk usage will continue to increase, eventually filling up the entire drive.

According to Nightmare Eclipse, this behavior was reproducible on Windows 11 25H2 and Windows Server 2025. He is investigating whether the same method can be used via WebDAV, and if so, it could eliminate the need for SMB, potentially allowing malware to be distributed over the internet without interference.

Microsoft has not publicly commented on the disk space exhaustion issue reported in this article, as of the time of writing, in its advisory regarding RoguePlanet (CVE-2026-50656).

in Software,   Security, Posted by log1p_kr