Microsoft said it has closed off RoguePlanet, a privilege escalation flaw in the Windows Defender scanning engine that could let a local attacker spawn a SYSTEM-level shell, but the researcher who found the zero-day bug has poked new holes in the anti-malware tool.
A race condition bug, the vulnerability works on Windows 10 and 11 operating systems that are not patched against RoguePlanet, and carries a common vulnerability scoring system (CVSS) rating of 7.8 out of 10 for severity.
Updating Windows Defender Malware Protection Engine to version 1.1.26060.3008 brings in the fix for RoguePlanet.
Nightmare Eclipse, the pseudonymous researcher who published the details of RoguePlanet nearly a month ago, followed up on the patch release with a post describing two further issues, one of which appears to be directly related to Microsoft's fix.
This is an eight-byte information leak that the researcher attributes to defence-in-depth hardening that Microsoft bundled with the update for RoguePlanet.
The researcher noted that they haven't been able to find a way for the leak to reach standard user processes, beyond Windows kernel drivers.
A second vulnerability involves a denial-of-service bug that can exhaust an entire disk by abusing how Defender caches a file's Zone.Identifier, the alternate data stream Windows uses to flag files downloaded from the internet under its Mark-of-the-Web system, Nightmare Eclipse said.
Defender normally enforces strict size limits before scanning or quarantining a file, specifically to stop itself filling the disk, but the researcher found that limit does not apply to the Zone.Identifier cache.
The proposed exploitation path involves standing up a rogue Server Message Block (SMB) server that serves a malicious file alongside an oversized Zone.Identifier stream, then simply stops answering read requests while keeping the connection open, causing Defender to hang and keep a lock on the offending files that holds the entire disk space.
Nightmare Eclipse said they had reproduced the issue on Windows 11 25H2 and Windows Server 2025; neither of the abovementioned issues has been confirmed by Microsoft or have a Common Vulnerabilities and Exposures (CVE) identifier.
RoguePlanet is not an isolated incident; it is the latest entry in a growing list of Defender and BitLocker zero-days from the researcher known as Nightmare Eclipse, or Chaotic Eclipse, who took umbrage to Microsoft's reception and recognition of vulnerability reports.
The list now runs to BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), the BitLocker bypass YellowKey, plus two further bugs dubbed GreenPlasma and MiniPlasma, all disclosed between April and June this year.
Three of those, BlueHammer, RedSun and UnDefend, were subsequently exploited in real-world attacks before patches were available, according security vendor Huntres.
The three vulnerabilities were added to the United States Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalogue.
Microsoft attacked the researcher for failing to responsibly disclose vulnerabilities and warned its Digital Crimes Unit would keep pursuing cases against those involved in their discovery, only to walk back the thinly veiled legal threats after a sharp security industry backlash.

iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
Integrate 2026
Security Exhibition & Conference



