VULNERABILITY OVERVIEW
A Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-362) in the Microsoft Malware Protection Engine's file-scanning workflow allows a low-privileged local attacker to substitute a malicious payload during the gap between file check and file open, triggering execution under the SYSTEM account. Researcher Nightmare Eclipse (Chaotic Eclipse) published a working PoC on GitHub on June 10, 2026 before a patch existed; Microsoft confirmed the flaw (MSRC advisory) and stated a high-quality fix is in development with no release date committed. The PoC functions regardless of whether Defender real-time protection is enabled.
CVSS BREAKDOWN
↗
Attack Vector
LOCAL
△
Attack Complexity
HIGH
⚷
Privs Required
LOW
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
All Windows 10 and Windows 11 systems running Microsoft Defender with the Malware Protection Engine (MPE) prior to a forthcoming patch; no fix available as of June 24, 2026CITATIONS
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
- → https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
- → https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
- → https://github.com/MSNightmare/RoguePlanet
- → https://thecyberexpress.com/cve-2026-50656-rogueplanet-windows-defender/