Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
HighPublic exploit

RoguePlanet

IdentifiersCVE-2026-50656CWE-59· Improper Link Resolution Before…

CVE-2026-50656, publicly referred to as RoguePlanet, is a local elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine used by Microsoft Defender. Based on the provided content, the flaw is rooted in improper link resolution before file access and is exploited via a time-of-check to time-of-use race condition in Defender's file-handling/scanning workflow. Defender verifies or opens a file path and later reopens or acts on that path; an attacker can win the race by substituting the checked object with a malicious file or link target between those operations. Public proof-of-concept reporting indicates successful exploitation can cause Defender, which runs as NT AUTHORITY\SYSTEM, to launch attacker-controlled code such as a SYSTEM command prompt. The issue has been reported as affecting fully patched Windows 10 and Windows 11 systems at the time of disclosure.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated local attacker to escalate from a low-privileged context to NT AUTHORITY\SYSTEM on the affected host. This level of access can enable full local compromise, including disabling or tampering with security controls, credential theft, persistence establishment, lateral movement preparation, and arbitrary actions available to SYSTEM. The provided content states Microsoft had not observed in-the-wild exploitation at the time of advisory publication, but public proof-of-concept code existed and Microsoft rated exploitation as more likely.

Mitigation

If you can’t patch tonight, do this now.

No vendor workaround is provided in the Microsoft advisory content. Interim defensive measures mentioned in the supporting content include monitoring for unexpected SYSTEM-level child processes spawned by MsMpEng.exe, detecting rapid file-substitution or suspicious link activity in Defender-related scanning paths, enforcing least privilege, enabling Attack Surface Reduction rules in block mode, restricting unnecessary tooling that could aid local exploitation, blocking known proof-of-concept hashes where practical, and deploying the official Microsoft fix as soon as it is available. These are compensating controls only, not a vendor-confirmed mitigation.

Remediation

Patch, then assume compromise.

Apply Microsoft's security update for CVE-2026-50656 for Microsoft Defender / the Microsoft Malware Protection Engine when it becomes available. The provided advisory content does not list a fixed version or patch build yet, and Microsoft stated it would update the CVE entry once the security update is released.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationDefenderapplication
Microsoft CorporationMalware Protection Engineapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

81 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

81 SOURCESView more in app
security affairsNews
Jun 18, 2026
Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development

A privilege escalation vulnerability in Microsoft Defender's Microsoft Malware Protection Engine that can grant SYSTEM-level privileges via a race condition.

Read more
thecyberexpress com vulnerabilitiesNews
Jun 18, 2026
CVE-2026-50656 RoguePlanet Zero-Day Hits Windows Defender

A Windows Defender local privilege escalation vulnerability caused by a TOCTOU race condition in Defender's file-processing workflow, allowing execution with SYSTEM-level privileges.

Read more
cyber security newsNews
Jun 18, 2026
Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch

A Microsoft Defender / Microsoft Malware Protection Engine elevation-of-privilege vulnerability caused by improper link resolution and a TOCTOU race condition, allowing local low-privileged attackers to gain NT AUTHORITY\SYSTEM privileges on fully patched Windows systems.

Read more
the hacker newsNews
Jun 17, 2026
Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development

A privilege escalation vulnerability in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as RoguePlanet. The exploit is described as a race condition that can grant attackers a SYSTEM-level shell.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity71

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-50656
NVD
nvd.nist.gov/vuln/detail/CVE-2026-50656
MITRE CWE · CWE-59
Improper Link Resolution Before File Access…
github.com
github.com/MSNightmare/RoguePlanet
msrc.microsoft.com
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656