Updated
Updated · Ars Technica · Jul 9
Microsoft Defender Patch Triggers 8-Byte Leak, Letting Attackers Fill Hard Disks
Updated
Updated · Ars Technica · Jul 9

Microsoft Defender Patch Triggers 8-Byte Leak, Letting Attackers Fill Hard Disks

3 articles · Updated · Ars Technica · Jul 9

Summary

  • Microsoft’s Wednesday fix for Defender zero-day CVE-2026-50656 may introduce a new denial-of-service flaw that lets attackers consume all available disk space on Windows 10 and 11 machines, researcher NightmareEclipse said.
  • The issue stems from defense-in-depth changes in mpengine.dll and new SpyNet-related behavior: when opening a file, the engine can leak 8 bytes of data and keep a local copy of a Zone.Identifier ADS file without size limits.
  • That bypasses Defender’s normal safeguards against quarantining huge files, creating an exception that can cache massive data locally until a hard drive is exhausted.
  • Microsoft had released the patch to close RoguePlanet, a publicly disclosed June zero-day that allowed remote attackers to gain administrative control; the Malware Protection Engine update installs automatically.

Insights

When security software becomes the vulnerability, are automatic updates enough to stop attackers from gaining full system control?
Is Microsoft’s legal pressure on researchers backfiring, making its own products less secure ahead of a July 14th threat?