JH← Back to blog

RoguePlanet (CVE-2026-50656): When Your Antivirus Becomes the Attack Surface

CVE-2026-50656 'RoguePlanet' let attackers gain SYSTEM privileges through Microsoft Defender itself, with a public PoC live for 29 days before the patch. Here's the timeline and the fix.


Microsoft Defender is supposed to stop privilege escalation, not enable it. CVE-2026-50656, nicknamed "RoguePlanet," inverted that: a local elevation-of-privilege flaw in the Microsoft Malware Protection Engine let authenticated attackers spawn a SYSTEM-level shell through a race condition. A working proof-of-concept was public since June 10, and Microsoft didn't ship a fix until roughly 29 days later. If Defender is your baseline endpoint control, this is a case study in why "patched" and "was never exploitable" are very different claims.

What the bug does and why the timeline matters more

Researcher Chaotic Eclipse traced it to improper link resolution before file access inside the scanning engine — a classic use-after-free pattern where an attacker who wins a timing window can substitute a malicious target. Microsoft rated it "Exploitation More Likely," CVSS 4.0 score 7.8, affecting Windows 10 and 11. Because the flaw lives in the Malware Protection Engine, it inherits Defender's own privileged execution context, escalating straight to SYSTEM. The bigger lesson is the nearly month-long gap between public PoC and patch — Microsoft says no manual action is required since the engine auto-updates, but that doesn't erase the exposure window that existed before.

The fourth bug from the same researcher

RoguePlanet is the fourth Defender vulnerability from this researcher, following BlueHammer, UnDefend, and RedSun — all since patched. Four related privilege escalation bugs in the same scanning engine in one year means treating Defender's engine as a static, set-it-and-forget-it trust boundary is no longer safe.

What to actually do

Confirm the engine version explicitly. Check endpoints are running Malware Protection Engine 1.1.26060.3008 or later rather than trusting auto-update reached every machine, especially on delayed-update policies.

Treat this as a detection gap, not just a patching gap. RoguePlanet needs some existing authenticated access — review whether your detection stack would actually catch the race-condition exploitation pattern rather than relying solely on the patch.

Ask security vendors about their own disclosure history during procurement. How quickly a vendor closes the gap between public PoC and shipped fix is now a fair, necessary question — security tooling runs with the exact elevated privilege that makes it a high-value target regardless of who wrote it.

Conclusion

RoguePlanet is a reminder that endpoint security software runs with enormous privilege precisely because it needs broad system access to do its job. The fix requires no manual action, but the nearly month-long exposure window is the part worth remembering next time you're deciding how urgently to escalate a "local" privilege escalation bug in tooling you assumed was the defender, not the attack surface.