RoguePlanet: A Defender Race Condition That Opens a Direct Path to SYSTEM

Red | Vulnerability
Download Now
CVE-2026-50656: RoguePlanet Microsoft Defender Race Condition to SYSTEM (TA2026195)

Threat Advisory • Vulnerability Report • TA2026195

RoguePlanet: A Defender Race Condition That Opens a Direct Path to SYSTEM

CVE-2026-50656, nicknamed RoguePlanet, is a race condition elevation-of-privilege vulnerability (CWE-59) in the Microsoft Defender Malware Protection Engine. An attacker already running code on a machine can win a narrow check-then-act timing window during a scan operation and redirect it into a SYSTEM-level command shell — reportedly regardless of whether real-time protection is enabled, and even on fully patched Windows 10 and 11 builds. Microsoft has fixed the flaw in Malware Protection Engine version 1.1.26060.3008.

SEVERITY: RED ADMIRALTY: A1 ELEVATION OF PRIVILEGE CWE-59 PROOF-OF-CONCEPT PUBLIC LOCAL ACCESS REQUIRED
CVE ID
CVE-2026-50656
Published
July 10, 2026
Admiralty Code
A1
First Seen
June 16, 2026
CWE ID
CWE-59
Impact
Elevation of Privilege to SYSTEM
Access Required
Local, Already Running Code
Patch Status
Available (Engine 1.1.26060.3008)
Affected Products
Microsoft Defender – Malware Protection Engine

Summary

Microsoft Defender has a flaw nicknamed RoguePlanet (CVE-2026-50656) that turns the security tool itself into an attacker's foothold. It is a race condition in Defender's scanning engine — the Microsoft Malware Protection Engine — meaning an attacker who is already on a machine can win a split-second timing gap to pop open a command prompt with SYSTEM access, the highest privilege level on Windows. The unsettling part is that it worked on fully patched Windows 10 and Windows 11 systems, and regardless of whether real-time protection was switched on.

A researcher went public with a working proof-of-concept for RoguePlanet during a dispute with Microsoft over its bug-bounty practices. No known threat group or malware has been tied to the vulnerability so far, and Microsoft has since fixed the SYSTEM privilege escalation issue in Malware Protection Engine version 1.1.26060.3008. First seen on June 16, 2026, the RoguePlanet Microsoft Defender race condition underscores that even trusted antimalware components can become a direct path to full system compromise if left unpatched.


Vulnerability Details

#1 — An Elevation-of-Privilege Flaw in the Malware Protection Engine

CVE-2026-50656, nicknamed RoguePlanet, is an elevation-of-privilege vulnerability. It sits in the Microsoft Malware Protection Engine, the component that provides scanning, detection, and cleaning for Microsoft Defender and related antimalware products.

#2 — A Check-Then-Act Race Condition Leads to SYSTEM

The root cause is a timing flaw: the engine performs an operation in a way that can be interrupted and manipulated in the narrow gap between a check and the action that follows it. An attacker who can already run code locally races the engine to win that window and redirect a privileged operation, which ends with a shell running as SYSTEM.

#3 — Works With Protection On or Off

The researcher confirmed the race condition works with protection on or off, and possibly in passive mode. Once SYSTEM access is obtained, the attacker can execute arbitrary code and carry out unauthorized actions at the highest privilege level Windows offers.

#4 — Exposed Even on Fully Patched Windows 10 and 11

The flaw affects Microsoft Defender's Malware Protection Engine across supported Windows 10 and Windows 11 builds, and the public exploit was demonstrated working on systems that already had the June 2026 Patch Tuesday updates installed — meaning "fully patched" machines remained exposed until the engine itself was updated.

#5 — Public Proof-of-Concept and a Fixed Engine Release

A working proof-of-concept exploit for RoguePlanet has been made public. The flaw was disclosed in June 2026, but Microsoft released the fix this month, updating the Microsoft Malware Protection Engine to version 1.1.26060.3008 to address the vulnerability.


Vulnerability Details Table

CVE IDAffected ProductsAffected CPECWE ID
CVE-2026-50656 Microsoft Defender – Malware Protection Engine (Before 1.1.26060.3008) cpe:2.3:a:microsoft:malware_protection_engine:-:*:*:*:*:*:*:* CWE-59

Recommendations

01

Confirm the Engine Update Is Installed

Verify that the Microsoft Malware Protection Engine is at version 1.1.26060.3008 or later, which contains the fix for CVE-2026-50656. Check the engine version in the Windows Security app or through your endpoint management tooling, and trigger a manual definition/engine update on any machine that has been offline.

02

Let Automatic Updates Run, but Verify Coverage

Microsoft states no user action is normally required because the Malware Protection Engine updates automatically, often several times a day when connected to the internet. Still, confirm that endpoints, servers, and isolated or air-gapped systems are actually receiving engine updates, since those hosts are the most likely to lag behind on the RoguePlanet fix.

03

Enforce Least Privilege and Limit Local Code Execution

Because this is a local elevation-of-privilege flaw, an attacker needs an initial foothold to exploit the race condition. Restrict who can run code on endpoints, apply application control or allow-listing, and reduce standing local-admin rights so an initial compromise has fewer paths to escalate to SYSTEM.

04

Watch for Unexpected SYSTEM Shells

Monitor for command interpreters such as cmd.exe or powershell.exe spawning as SYSTEM from unusual parent processes, particularly those tied to the Microsoft Defender antimalware engine. A sudden SYSTEM-level shell with no legitimate administrative context is a strong signal worth investigating.


Potential MITRE ATT&CK TTPs

T1059
Execution
Command and Scripting Interpreter
T1068
Privilege Escalation
Exploitation for Privilege Escalation
T1588.006
Resource Development
Obtain Capabilities: Vulnerabilities

References & Patch Links

Patch Link
References