Facepalm: Microsoft released an update for a recently unveiled zero-day vulnerability in Windows Defender, but the patch is apparently making things even worse. The researcher who first discovered the "RoguePlanet" flaw quickly found some potentially dangerous problems in the patch as well.

The feud between "NightmareEclipse" and Microsoft continues to hold unpleasant surprises for the Windows ecosystem. The disgruntled security researcher, who accused Redmond of hiding a pernicious backdoor in BitLocker's volume encryption, recently shared details about RoguePlanet, a new zero-day flaw that could be abused by cybercriminals to gain full administrative privileges on a patched Windows system.

NightmareEclipse also unveiled the proof-of-concept code required to exploit RoguePlanet, but Microsoft was quick to act. Just a week before this month's Patch Tuesday, the company released a patch for the flaw. Tracked as CVE-2026-50656, the vulnerability was apparently resolved through an update to Microsoft Defender's Malware Protection Engine (mpengine.dll).

The Malware Protection Engine provides Defender and Microsoft's other endpoint antimalware solutions with their virus scanning, detection, and cleaning capabilities, the company explains. However, according to NightmareEclipse, the recently updated mpengine.dll library still includes some significant issues that could be exploited in a complex attack chain.

In their latest PGP-signed message, the researcher said the new mitigations in mpengine.dll, which Microsoft calls "defense-in-depth updates," can prompt Defender to leak 8 bytes of data during some specific file opening operations. By abusing this flaw, along with Microsoft's SpyNet cloud service for reporting suspicious files to Microsoft researchers, a malicious party could force Defender to quarantine huge files, exhausting all available space on the system volume.

The new flaw exploits SpyNet, mpengine.dll, and a hidden metadata feature in the NTFS file system called Alternate Data Streams. NightmareEclipse said that properly exploiting this new "flaw" requires a specific setup based on a custom Server Message Block (SMB) server. If successful, the attack could affect the reliability of the Windows OS, with applications and services starting to behave erratically as the storage drive fills up completely.

NightmareEclipse successfully reproduced the new issue on Windows 11 25H2 and Windows Server 2025, and is now trying to find a way to exploit the bug remotely without needing a special SMB-based connection.

Microsoft has not yet commented on the issue. The Redmond company will most certainly have another field day at next week's Patch Tuesday update session.