A newly disclosed Windows Defender vulnerability, tracked as CVE-2026-50656 and dubbed RoguePlanet, has raised concerns across the cybersecurity community after a working proof-of-concept (PoC) exploit was released before a security patch became available. The exploit was published on GitHub by security researcher Nightmare Eclipse on June 10, 2026, only hours after Microsoft issued its June Patch Tuesday updates.
The RoguePlanet flaw affects Microsoft Defender and carries a CVSS 3.1 base score of 7.8, categorized under CWE-362, which covers race conditions caused by improper synchronization of shared resources. Microsoft has acknowledged CVE-2026-50656 and confirmed that a fix is in development, but as of June 18, 2026, the company has not announced a release timeline.
The publication of CVE-2026-50656 followed the researcher’s earlier coordinated disclosures involving two other Defender vulnerabilities, CVE-2026-45586 (GreenPlasma) and CVE-2026-45585 (YellowKey), both of which were addressed during June’s Patch Tuesday cycle.
Nightmare Eclipse stated that the decision to publicly release RoguePlanet without a prior coordinated disclosure period stemmed from dissatisfaction with what was described as slow response times within Microsoft’s bug bounty process. As a result, defenders are now dealing with a publicly documented exploit targeting one of the world’s most widely deployed endpoint security platforms before a patch is available.
CVE-2026-50656 exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition inside Microsoft Defender’s file-processing workflow. During a scan, Defender checks a file path and later reopens the file for analysis. The RoguePlanet exploit takes advantage of the gap between those two actions by replacing the original file with a malicious payload.
Because Microsoft Defender operates under the SYSTEM account, a successful race condition allows the substituted payload to execute with SYSTEM-level privileges. The exploit reportedly works on fully patched Windows 10 and Windows 11 systems.
Although exploitation requires local authenticated access, attackers often obtain such access through phishing campaigns, browser exploits, or stolen credentials. The PoC is not guaranteed to succeed on every attempt because it depends on winning the race condition. However, Nightmare Eclipse noted that automated retry mechanisms can make exploitation reliable in practical scenarios.
Local privilege escalation vulnerabilities such as CVE-2026-50656 are frequently used in post-compromise attack chains. Once attackers gain limited access, vulnerabilities like RoguePlanet can elevate permissions to full system control. This enables actions such as disabling security software, extracting credentials from LSASS, establishing persistence, and moving laterally across networks.
Microsoft stated that it is working on a ‘high-quality patch’ but has not committed to an out-of-band release, leaving open the possibility that CVE-2026-50656 could remain unpatched until a future Patch Tuesday update. Organizations are advised to monitor Windows Event Logs for unexpected SYSTEM-level process creation, deploy EDR detections for rapid file-substitution activity, enforce least-privilege access controls, restrict unnecessary development tools, enable Attack Surface Reduction rules in block mode, block known PoC hashes, and deploy Microsoft’s fix immediately once it becomes available.
