CVE-2026-50656 RoguePlanet Vulnerability

Microsoft has officially acknowledged a newly disclosed zero-day vulnerability affecting Microsoft Defender, known as RoguePlanet, and confirmed that a security update is currently in development to address the issue.

The flaw has been assigned CVE-2026-50656 and carries a CVSS severity score of 7.8. According to Microsoft, the vulnerability is classified as an elevation-of-privilege weakness within the Microsoft Malware Protection Engine used by Microsoft Defender.

Microsoft stated that it is aware of the publicly disclosed issue, which security researchers have named RoguePlanet.

Understanding the Threat Behind RoguePlanet

The disclosure follows the public revelation of RoguePlanet approximately one week earlier. The researcher responsible for uncovering the flaw described it as a race condition vulnerability capable of granting attackers access to a command shell running with SYSTEM-level privileges.

Because the exploit relies on a race condition, its success rate varies between systems. Testing has shown that some devices can be compromised with a near-perfect success rate, while others prove more resistant to exploitation.

Notably, the published Proof-of-Concept (PoC) functions regardless of whether Microsoft Defender's real-time protection feature is enabled or disabled.

A Growing List of Defender Security Flaws

RoguePlanet represents the fourth Microsoft Defender vulnerability publicly disclosed by the same researchers. Previous findings include:

BlueHammer (CVE-2026-33825)
UnDefend (CVE-2026-45498)
RedSun (CVE-2026-41091)

All three previously disclosed vulnerabilities have already been patched by Microsoft.

Potential Impact of Successful Exploitation

If an attack leveraging RoguePlanet succeeds, the attacker gains a shell operating with SYSTEM-level permissions, one of the highest privilege levels available on Windows systems. Such access enables malicious actors to:

Execute arbitrary code.
Perform unauthorized actions across the affected system.

The elevated privileges significantly increase the potential impact of a successful compromise.

Tested Against Fully Updated Windows Systems

Security testing confirmed that the exploit works on both Windows 10 and Windows 11 systems that have already received the June 2026 Patch Tuesday updates. This indicates that fully updated desktop installations remain vulnerable until Microsoft releases a dedicated fix.

Windows Server Exposure Requires a Different Exploitation Method

In its current form, the exploit does not function on Windows Server environments because standard users are not permitted to mount ISO images, a requirement of the existing attack technique.

However, this limitation should not be interpreted as immunity. Researchers emphasized that Windows Server installations are still affected by the underlying vulnerability. The exploit would simply need to be redesigned to accommodate the platform's restrictions before successful exploitation becomes possible.