Blog

Windows Defender "Fix" Could Let Attackers Fill Your Hard Drive. The Feud Continues

Published July 16th, 2026 by Bayonseo

For Windows security, the past few months have been hectic. A series of zero-day disclosures has resulted from an ongoing public spat between Microsoft and a security researcher; the most recent development may be the most ironic to date. The researcher who discovered a serious weakness in Windows Defender has now cautioned that Microsoft's own fix for that flaw may be used as a weapon to fill your hard drive, which could cause your system to crash and corrupt important data.


The Never‑Ending Windows Defender Saga

The story starts with CVE-2026-50656, a zero-day vulnerability known as "RoguePlanet" that was made public by NightmareEclipse, an anonymous researcher. Even when Defender's real-time protection was turned off, the vulnerability gave remote attackers administrative control over Windows 10 and Windows 11 computers. In an attempt to fix the problem, Microsoft released an update through the Microsoft Malware Protection Engine on July 9. However, the researcher claims that a new issue was brought about by the "defense –in –depth" changes in that patch.


How the "Fix" Becomes an Attack

The Malware Protection Engine driver, mpengine.dll, has a bug that causes it to occasionally leak eight bytes of data when attempting to open a file, which is the cause of the new behavior. The patch eliminates the typical hard limits on the size of a file that can be written to disk when combined with modifications to Microsoft's cloud service SpyNet.

The researcher discovered that the engine's SpyNet functionalities prefer to maintain a local copy of a secret metadata file known as a Zone. identifier, and it will do so no matter how big the file is. By creating a custom SMB server that delivers a malicious file followed by a massive Zone, attackers can take advantage of this.file identifier. The server makes Defender hang and keep writing data until the disk is full by maintaining the connection without answering read requests.

The outcome? A full hard disk causes various programs and services to crash at random. It's a delayed, excruciating denial of service that might drive a machine to its knees rather than a conventional crash.


A Heated Feud with No End in Sight

This most recent finding is only one part of the escalating conflict between Microsoft and NightmareEclipse. According to the researcher, Microsoft made a number of public disclosures after silently patching a vulnerability they had privately reported. The researcher was publicly chastised by Microsoft for "not responsibly" revealing vulnerabilities, and the company even threatened legal action before rescinding in response to public outcry. The revelation on Thursday implies that the conflict is far from resolved.


What You Can Do Right Now

The risk exists even if Microsoft has not formally acknowledged the new behavior. Until a new patch is made available, companies ought to:

  • On Windows systems, keep a tight eye on disk use, particularly after installing the most recent Defender patches.
  • To lessen the attack surface, restrict access to SMB shares from unreliable sources.
  • Apply the July 9 patch; the original RoguePlanet vulnerability is significantly more serious despite the new problem.
  • As the situation changes, keep an eye out for any Microsoft updates.


How Bayon Technologies Group Can Help You Stay Safe

The intricacy of contemporary patch management, where a repair for one vulnerability may unintentionally spawn another, is shown by this ongoing tale. At Bayon Technologies Group, we assist businesses in overcoming these obstacles by:

  • Assessing vulnerabilities and setting priorities will help you apply updates appropriately.
  • Monitoring and alerting on disk utilization can help identify anomalous storage behavior early.
  • Planning an incident response for denial-of-service situations.
  • Constant security monitoring will keep your systems safe even while there are active zero-day windows.

Prevent a patch from creating a new issue. To develop a robust security plan, get in touch with Bayon Technologies Group right now.


‹ Back