Microsoft Defender Patch Triggers 8-Byte Leak, Letting Attackers Fill Hard Disks
Updated
Updated · Ars Technica · Jul 9
Microsoft Defender Patch Triggers 8-Byte Leak, Letting Attackers Fill Hard Disks
3 articles · Updated · Ars Technica · Jul 9
Summary
Microsoft’s Wednesday fix for Defender zero-day CVE-2026-50656 may introduce a new denial-of-service flaw that lets attackers consume all available disk space on Windows 10 and 11 machines, researcher NightmareEclipse said.
The issue stems from defense-in-depth changes in mpengine.dll and new SpyNet-related behavior: when opening a file, the engine can leak 8 bytes of data and keep a local copy of a Zone.Identifier ADS file without size limits.
That bypasses Defender’s normal safeguards against quarantining huge files, creating an exception that can cache massive data locally until a hard drive is exhausted.
Microsoft had released the patch to close RoguePlanet, a publicly disclosed June zero-day that allowed remote attackers to gain administrative control; the Malware Protection Engine update installs automatically.