Microsoft has formally confirmed it is working on a patch for a Defender zero-day vulnerability codenamed RoguePlanet, now tracked as CVE-2026-50656 with a CVSS score of 7.8.
The company described the flaw as a privilege escalation vulnerability within the Microsoft Malware Protection Engine.
“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as ‘RoguePlanet,’” the company said. “We are working to provide a high-quality security update that addresses this vulnerability.”
The disclosure follows roughly a week after security researcher Chaotic Eclipse, also known online as Nightmare-Eclipse, released a proof-of-concept exploit for RoguePlanet. The researcher described the vulnerability as a race condition, a flaw that depends on precise timing between system processes, that grants attackers a shell with SYSTEM-level privileges, the highest level of access on a Windows machine.
“The exploit is a race condition, so it’s a hit or miss,” the researcher noted. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
In a follow-up update shared this week, the researcher added a notable detail about the exploit’s behavior. The proof-of-concept reportedly works regardless of whether Defender’s real-time protection is switched on or off, a finding the researcher called surprising given that real-time protection is specifically designed to block this category of attack. The researcher said they believe the exploit may also work in passive mode but had not yet confirmed this.
Microsoft initially told reporters it was “actively investigating the validity and potential applicability of these claims” before issuing its formal confirmation.
RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft.
