Skip to main content
TechnologyJul 10, 2026· 2 min read

Is the Microsoft Defender fix worse than the problem? The patch on Windows fills the disk

Microsoft has released an update for Windows Defender that, while resolving a critical zero-day vulnerability, could trigger a new problem perhaps even worse: disk space exhaustion. The researcher who first discovered the defect, known by the pseudonym NightmareEclipse, reported that the implemented patch has a serious side effect.

The original vulnerability, identified as CVE-2026-50656 and known as RoguePlanet, emerged in June when NightmareEclipse made it public, including the code to exploit it. This defect allowed remote attackers to gain administrative control over Windows 10 and Windows 11 systems, even with Defender's real-time protection disabled. In recent months, the same researcher has disclosed several other zero-day vulnerabilities, forcing Microsoft to act quickly to release fixes.

The "defense in depth" that risks locking the system

The Redmond giant announced Wednesday that it has resolved RoguePlanet with an update to the Microsoft Malware Protection Engine, the core of the Defender antivirus application. The fix is downloaded and installed automatically, without requiring user intervention. The update also includes "defense in depth updates aimed at improving security features."

However, NightmareEclipse revealed that these very "defense in depth" additions create behavior that could allow attackers to completely saturate the available space on a hard disk by writing massive amounts of data. The new mitigations have introduced a problem in the driver mpengine.dll, associated with the Microsoft Malware Protection Engine, which in some cases causes a loss of 8 bytes of data every time it tries to open a file. New features in SpyNet, a cloud service that allows Microsoft Security Essentials or Forefront Endpoint Protection to send reports to Microsoft on suspicious software, also contribute to this potential mass file writing behavior.

Normally, Defender imposes strict limits on the size of files that can be written to disk during scanning and quarantine, precisely to prevent an excessively large file from exhausting available space. The researcher explained that "this implementation makes sense, because quarantining a massive file would cause Defender to completely exhaust the available disk space." However, he identified a specific exception to this rule: "Apparently, the spynet functions in mpengine.dll want to maintain a local copy of the file Zone.Identifier ADS and no matter how large this file is, Windows Defender will still cache it locally." It is precisely this abnormal interaction, combined with data loss, that opens the door to the risk of disk saturation.