
Threat Advisory • Vulnerability Report • TA2026195
CVE-2026-50656, nicknamed RoguePlanet, is a race condition elevation-of-privilege vulnerability (CWE-59) in the Microsoft Defender Malware Protection Engine. An attacker already running code on a machine can win a narrow check-then-act timing window during a scan operation and redirect it into a SYSTEM-level command shell — reportedly regardless of whether real-time protection is enabled, and even on fully patched Windows 10 and 11 builds. Microsoft has fixed the flaw in Malware Protection Engine version 1.1.26060.3008.
CWE-59
PROOF-OF-CONCEPT PUBLIC
LOCAL ACCESS REQUIRED
Section 01
Microsoft Defender has a flaw nicknamed RoguePlanet (CVE-2026-50656) that turns the security tool itself into an attacker's foothold. It is a race condition in Defender's scanning engine — the Microsoft Malware Protection Engine — meaning an attacker who is already on a machine can win a split-second timing gap to pop open a command prompt with SYSTEM access, the highest privilege level on Windows. The unsettling part is that it worked on fully patched Windows 10 and Windows 11 systems, and regardless of whether real-time protection was switched on.
A researcher went public with a working proof-of-concept for RoguePlanet during a dispute with Microsoft over its bug-bounty practices. No known threat group or malware has been tied to the vulnerability so far, and Microsoft has since fixed the SYSTEM privilege escalation issue in Malware Protection Engine version 1.1.26060.3008. First seen on June 16, 2026, the RoguePlanet Microsoft Defender race condition underscores that even trusted antimalware components can become a direct path to full system compromise if left unpatched.
Section 02
CVE-2026-50656, nicknamed RoguePlanet, is an elevation-of-privilege vulnerability. It sits in the Microsoft Malware Protection Engine, the component that provides scanning, detection, and cleaning for Microsoft Defender and related antimalware products.
The root cause is a timing flaw: the engine performs an operation in a way that can be interrupted and manipulated in the narrow gap between a check and the action that follows it. An attacker who can already run code locally races the engine to win that window and redirect a privileged operation, which ends with a shell running as SYSTEM.
The researcher confirmed the race condition works with protection on or off, and possibly in passive mode. Once SYSTEM access is obtained, the attacker can execute arbitrary code and carry out unauthorized actions at the highest privilege level Windows offers.
The flaw affects Microsoft Defender's Malware Protection Engine across supported Windows 10 and Windows 11 builds, and the public exploit was demonstrated working on systems that already had the June 2026 Patch Tuesday updates installed — meaning "fully patched" machines remained exposed until the engine itself was updated.
A working proof-of-concept exploit for RoguePlanet has been made public. The flaw was disclosed in June 2026, but Microsoft released the fix this month, updating the Microsoft Malware Protection Engine to version 1.1.26060.3008 to address the vulnerability.
Section 03
| CVE ID | Affected Products | Affected CPE | CWE ID |
|---|---|---|---|
CVE-2026-50656 |
Microsoft Defender – Malware Protection Engine (Before 1.1.26060.3008) |
cpe:2.3:a:microsoft:malware_protection_engine:-:*:*:*:*:*:*:*
|
CWE-59 |
Section 04
Confirm the Engine Update Is Installed
Verify that the Microsoft Malware Protection Engine is at version 1.1.26060.3008 or later, which contains the fix for CVE-2026-50656. Check the engine version in the Windows Security app or through your endpoint management tooling, and trigger a manual definition/engine update on any machine that has been offline.
Let Automatic Updates Run, but Verify Coverage
Microsoft states no user action is normally required because the Malware Protection Engine updates automatically, often several times a day when connected to the internet. Still, confirm that endpoints, servers, and isolated or air-gapped systems are actually receiving engine updates, since those hosts are the most likely to lag behind on the RoguePlanet fix.
Enforce Least Privilege and Limit Local Code Execution
Because this is a local elevation-of-privilege flaw, an attacker needs an initial foothold to exploit the race condition. Restrict who can run code on endpoints, apply application control or allow-listing, and reduce standing local-admin rights so an initial compromise has fewer paths to escalate to SYSTEM.
Watch for Unexpected SYSTEM Shells
Monitor for command interpreters such as cmd.exe or powershell.exe spawning as SYSTEM from unusual parent processes, particularly those tied to the Microsoft Defender antimalware engine. A sudden SYSTEM-level shell with no legitimate administrative context is a strong signal worth investigating.
Section 05
Section 06