Microsoft has confirmed it is working on a security patch for a Microsoft Defender zero-day called “RoguePlanet,” now tracked as CVE-2026-50656. A researcher who disclosed the flaw last week says the exploit targets a Defender race condition to spawn command p
When a zero-day is disclosed, the clock starts immediately—not just for Microsoft’s engineering team, but for every security team trying to close a gap before attackers do.
Microsoft confirmed it is working on a patch for a Microsoft Defender zero-day vulnerability named “RoguePlanet,” disclosed one week ago.
The vulnerability was published by a security researcher known as “Nightmare Eclipse” during the June 2026 Patch Tuesday release. also referred to as “Nightmare Eclipse” and “Nightmare Eclipse”’s exploit bundle labeled “Nightmare Eclipse” (known as “Nightmare Eclipse” in the source text) under the name “RoguePlanet.” Nightmare Eclipse said the flaw affects fully patched Windows 10 and Windows 11 devices and can be used to spawn command prompts with SYSTEM privileges through a Microsoft Defender race condition.
In a self-hosted proof-of-concept repository shared by the researcher. the exploit is described as a race condition—meaning it is hit or miss. Nightmare Eclipse said they managed to get a 100% success rate on some machines while it struggled on others. They also said the proof-of-concept works regardless of whether real-time protection is on or off.
Their disclosure also included an escalation of concern about how Microsoft handles vulnerability reports. Nightmare Eclipse claimed that Microsoft had previously targeted and removed their repositories hosting exploits on GitHub and GitLab.
Microsoft, for its part, acknowledged the issue while leaving out key details about how it was found. A Microsoft spokesperson said the company was aware of the reported vulnerability and actively investigating the validity and potential applicability of the researcher’s claims. The spokesperson added that Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible.
The next step came a week after RoguePlanet was disclosed. Microsoft assigned the flaw the identifier CVE-2026-50656 and confirmed it is currently working on a patch. In an advisory published on Tuesday. Microsoft said it is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as “RoguePlanet.” The company said it is working to provide a high quality security update that addresses the vulnerability and will provide information in the CVE when the update becomes available. Microsoft did not acknowledge that Nightmare Eclipse was the one who found the vulnerability.
Behind this technical scramble is a separate fight with human consequences for how security research gets handled. The RoguePlanet release is part of an ongoing dispute between Nightmare Eclipse and Microsoft over bug bounty and vulnerability disclosure practices. Over the past several months. the researcher publicly leaked multiple Windows zero-day exploits. including for the BlueHammer. RedSun. GreenPlasma. MiniPlasma. YellowKey. and UnDefend flaws. Some of these zero-days affect Microsoft Defender, while others target BitLocker and Windows components.
Microsoft’s response to Nightmare Eclipse’s disclosures included warnings of legal action when people engage in “malicious activity causing real harm to our customers,” and many cybersecurity experts and researchers interpreted those statements as threats toward the researcher.
In the same timeline, Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last week as part of the June 2026 Patch Tuesday updates.
For now, RoguePlanet is tracked as CVE-2026-50656 while Microsoft works on its security update. The urgency is clear: the researcher describes the exploit as powerful enough to reach SYSTEM privileges through a Defender race condition—yet inconsistent enough to make attackers test and retest. and defenders scramble to patch before the next attempt lands.
Microsoft Defender RoguePlanet CVE-2026-50656 zero-day Windows 10 Windows 11 Microsoft Malware Protection Engine Patch Tuesday Nightmare Eclipse SYSTEM privileges security patch
So this is like a Windows Defender bug that gives hackers command prompts? Love that.
Patch Tuesday one week ago and now it’s already CVE… what else are they gonna miss? My computer literally auto-updates so I’m hoping I’m safe??
“Race condition” sounds like one of those things that only works in a lab lol but also they got 100% on some machines so idk. If it works with real-time protection on or off then what’s the point of having it on?
This Nightmare Eclipse name being repeated like 5 times in the article makes me think it’s not even real or it’s propaganda or something. Also Microsoft “removed repositories”??? So they were aware before and just didn’t fix it? Seems sus to me, even if it’s “fully patched” Windows 10/11.