Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw. The vulnerability, tracked as CVE-2026-50656, carries a CVSS score of 7.8 and affects fully patched Windows 10 and Windows 11 systems — including those running the June 2026 cumulative update KB5094126.
What Is RoguePlanet?
RoguePlanet is an Elevation of Privilege (EoP) vulnerability rooted in a Time-of-Check to Time-of-Use (TOCTOU) race condition within Defender’s real-time scanning engine. Classified under CWE-59 (Improper Link Resolution Before File Access), the flaw exploits a brief timing window between when Defender verifies a file path and when it acts upon it.
When successfully triggered, the exploit spawns a Windows command prompt running as NT AUTHORITY\SYSTEM — the highest privilege level on a Windows machine — effectively giving an attacker complete control of the operating system from a low-privilege starting point.
Timeline and Public Disclosure
RoguePlanet was first publicly released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rollout, by a security researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse. The timing — immediately after Patch Tuesday — gave Microsoft no opportunity to include a fix in its regular monthly update cycle, leaving users exposed for an extended period.
The vulnerability was formally published on June 16, 2026 by the Microsoft Security Response Center (MSRC), confirming the flaw and acknowledging that a working public proof-of-concept (PoC) exists. The CVSS vector string confirms the flaw is:
- Locally exploitable
- Requires only low privileges
- Requires no user interaction
- Has high impact across confidentiality, integrity, and availability
- Rated as “Exploit Code Maturity: Functional” — confirming a working PoC
Severity and Independent Verification
Cybersecurity firm ThreatLocker independently reproduced the exploit and confirmed its viability on fully patched Windows 11 systems. In an alarming development, Nightmare Eclipse revealed that the PoC works regardless of whether Defender’s Real-Time Protection is enabled or disabled, and may even function in Defender’s passive mode — a configuration often used in environments where a third-party antivirus product is the primary protection layer.
The exploit’s reliability varies by machine due to its race-condition nature, but the researcher expressed confidence that it can be refined to achieve consistent success rates. Attempts by the security community to detect or block the PoC through custom signatures have proven largely ineffective, as minor modifications can bypass mitigations entirely.
Microsoft’s Response
Microsoft has rated CVE-2026-50656 as “Exploitation More Likely” on its Exploitability Index. The company’s official statement reads: “We are working to provide a high quality security update that addresses this vulnerability.”
Critically, Microsoft has not announced a specific patch release date. The Remediation Level is listed as Unavailable in the CVE advisory, meaning no fix is currently deployable. The advisory will be updated once a security update becomes available — which may not be until the next Patch Tuesday cycle in July 2026.
What Can Organizations Do Right Now?
While no official patch exists, organizations can take the following steps to reduce risk:
- Restrict local access — since the vulnerability requires local execution, limiting who can run code on sensitive systems reduces exposure
- Monitor for suspicious privilege escalation — alert on any processes that elevate to SYSTEM level unexpectedly
- Application allow-listing — tools like ThreatLocker or Windows Defender Application Control (WDAC) can block unknown executables from running
- Audit endpoint security configurations — review whether Defender is in passive mode on any endpoints
- Stay alert for the patch — monitor MSRC’s advisory for CVE-2026-50656 and apply the fix immediately upon release
Microsoft has not yet observed RoguePlanet being exploited in active attacks in the wild, but given the public availability of a functional PoC, the window before exploitation begins is likely short. Security teams should treat this as a high-priority item for monitoring and mitigation.