Microsoft has formally acknowledged the RoguePlanet vulnerability in Microsoft Defender. It now has a CVE identifier: CVE-2026-50656. The company describes it as a privilege escalation flaw in the Microsoft Malware Protection Engine.
The confirmation comes nearly a week after security researcher Chaotic Eclipse released a proof-of-concept exploit. The researcher called RoguePlanet a race condition that grants attackers a shell with SYSTEM-level privileges.
Microsoft says it is "working to provide a high-quality security update that addresses this vulnerability." No patch is available yet.
What Is CVE-2026-50656?
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
The Microsoft Defender RoguePlanet zero-day is an elevation of privilege vulnerability in the Microsoft Malware Protection Engine. It affects Microsoft Defender, the built-in antivirus and endpoint protection solution included with Windows.
Microsoft's advisory is brief: "Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as 'RoguePlanet.' We are working to provide a high-quality security update that addresses this vulnerability."
The vulnerability has been assigned a CVSS score of 7.8, which is rated Important.
How the Exploit Works
The researcher who discovered the Microsoft Defender RoguePlanet zero-day describes it as a race condition. Race conditions occur when two processes try to access the same resource at the same time. If an attacker wins the race, they can bypass security controls.
When the exploit succeeds, the result is a command shell running with SYSTEM-level privileges. SYSTEM is the highest privilege level on Windows. It is above administrator. An attacker with SYSTEM access has full control over the compromised machine.
The exploit is not 100% reliable. Chaotic Eclipse noted: "I have managed to get a 100% success rate on some machines while it struggled to work on others."
A Surprising Discovery
In an update shared after the initial disclosure, the researcher added an unexpected finding: the exploit works regardless of whether real-time protection is enabled or not. That is unusual. Most Defender vulnerabilities are mitigated when real-time protection is active.
The researcher also noted that the exploit might work even when Defender is in passive mode, though that has not been confirmed.
If true, that means disabling real-time protection, a common troubleshooting step , does not protect against this vulnerability. The flaw exists deeper in the Malware Protection Engine itself.
The Fourth Defender Zero-Day
The Microsoft Defender RoguePlanet zero-day is the fourth Defender vulnerability disclosed by Chaotic Eclipse in recent months.
The previous three are:
1. BlueHammer (CVE-2026-33825)
2. UnDefend (CVE-2026-45498)
3. RedSun (CVE-2026-41091)
All three have since been patched by Microsoft. All three were publicly disclosed before patches were available.
The pattern is clear: an independent researcher is finding vulnerabilities in Microsoft Defender and disclosing them without waiting for Microsoft to respond.
How to Protect Yourself
There is no patch for the Microsoft Defender RoguePlanet zero-day yet. Microsoft says it is working on a high-quality update, but no timeline has been provided.
Until a patch is available:
1. Reduce local user permissions. An authenticated user is required for the exploit to take place. By minimizing the number of local accounts on a system, there are also less ways to gain access to that system. This is the principle of least privilege.
2. Detect suspicious behavior. Logs left by a race condition exploit will show up after the fact, if applicable. Look for signs such as a crash, timing anomalies or processes behaving in a strange way (from the perspective of a process running under the MSFT Defender).
3. Implement EDR capabilities. Traditional AV solutions will not protect against this type of attack, however, EDR solutions that monitor process behavior may be able to identify components of the exploit chain.
4. Always apply Microsoft Defender updates promptly. When a patch is released, implement it right away, regardless of whether you believe it will be helpful or not. The hole that this vulnerability creates has been made public. Attackers will clearly try to use it against your environment.
5. Look for additional hardening methods. Application control, privilege management, and attack surface reduction measures can help limit the severity of this vulnerability prior to a fix being published.
The Bigger Picture
RoguePlanet is the most current zero-day vulnerability found within Microsoft Defender in a long-standing dispute between an anonymous researcher and Microsoft. Chaotic Eclipse has accused Microsoft of mishandling previous disclosures, revoking MSRC access, and failing to compensate researchers.
Regardless of who is right, the victims are the same: Windows users caught in the middle. Each public disclosure creates a window where attackers know about a vulnerability before a patch exists.
Microsoft condemns the disclosures as putting customers at unnecessary risk. But the company also acknowledges the vulnerability and is working on a fix.
The Bottom Line
The Microsoft Defender RoguePlanet zero-day is real. It is confirmed. It has a CVE. And there is no patch yet.
Microsoft is working on it. That is the official line. In the meantime, the exploit is public, and attackers will attempt to use it.
Harden your systems. Monitor for unusual Defender behavior. And watch for Microsoft's patch announcement.
Because when the patch drops, you should install it immediately.
FAQ Section
What is RoguePlanet?
RoguePlanet is a privilege escalation vulnerability in the Microsoft Malware Protection Engine, part of Microsoft Defender. It has been assigned CVE-2026-50656.
What is the RoguePlanet exploit?
Once exploited, a race condition allows an attacker complete access to the affected system via a command shell with SYSTEM-level privileges.
Will the exploit still work without real-time protection?
The researcher has confirmed that the RoguePlanet exploit works regardless of whether real-time protection is turned on or not.
Has Microsoft released a patch?
No. Microsoft has acknowledged the vulnerability and says it is working on a high-quality security update. No patch has been released yet.
Has this researcher ever reported a Defender zero-day vulnerability before?
No, this is his 4th zero-day vulnerability for Defender (previously reported were BlueHammer, UnDefend, and RedSun). All three have since been patched.
Is there anything I can do to protect myself until a patch becomes available?
Limit user accounts' local privileges, monitor Defender for any unusual behavior, and apply any available patches as soon as possible.
