عاجل
ESNBA detiene traspaso de Kawhi Leonard por investigaciónESFrancia vence a Marruecos y se mete en semifinales del MundialESMbappé se redime tras fallar un penalti con un golazo y alcanza los 20 en MundialesESFrancia y Marruecos abren los cuartos de final con un duelo de poder a poderESLorde encabeza el Día de la Mujer Mundial en Mad Cool con un pop vibranteESPolémica por un penalti a Mbappé en el Francia-Marruecos: el VAR tardó más de tres minutos en decidirESBelén Aguilera y Paris Paloma deslumbran en la primera jornada del Bilbao BBK LiveESSenadora paraguaya denuncia hackeo de Instagram tras insultos racistas a MbappéESAleksandar Sekulic, favorito para entrenar al Barça de baloncestoESMuchova vence a Gauff y se enfrentará a Noskova en la final de WimbledonESNBA detiene traspaso de Kawhi Leonard por investigaciónESFrancia vence a Marruecos y se mete en semifinales del MundialESMbappé se redime tras fallar un penalti con un golazo y alcanza los 20 en MundialesESFrancia y Marruecos abren los cuartos de final con un duelo de poder a poderESLorde encabeza el Día de la Mujer Mundial en Mad Cool con un pop vibranteESPolémica por un penalti a Mbappé en el Francia-Marruecos: el VAR tardó más de tres minutos en decidirESBelén Aguilera y Paris Paloma deslumbran en la primera jornada del Bilbao BBK LiveESSenadora paraguaya denuncia hackeo de Instagram tras insultos racistas a MbappéESAleksandar Sekulic, favorito para entrenar al Barça de baloncestoESMuchova vence a Gauff y se enfrentará a Noskova en la final de Wimbledon
Newsgather
BackMicrosoft Defender Patch May Cause Disk Space Exhaustion
Microsoft Defender Patch May Cause Disk Space Exhaustion
يتطور
Ars Technica2 sa önceتقنية3 dk okumaUnited States

Microsoft Defender Patch May Cause Disk Space Exhaustion

نظرة سريعة

  • A Microsoft Defender patch for a zero-day vulnerability (CVE-2026-50656) may cause Windows machines to write files large enough to consume all disk space.
  • The researcher NightmareEclipse disclosed the issue, stating that new mitigations in mpengine.dll can lead to massive file caching.

ملخص مُنشأ بالذكاء الاصطناعي

لماذا يهم

A Microsoft Defender patch for a zero-day vulnerability may inadvertently cause disk space exhaustion on Windows machines. The researcher who discovered the flaw claims the fix introduces a new issue where files can be written without limit.

حجم الخط

A patch Microsoft released on Wednesday to fix a zero-day vulnerability in its Defender security engine may cause Windows machines to write files large enough to completely consume available disk space, the researcher who discovered the flaw said.

RoguePlanet, tracked as CVE-2026-50656, came to public notice in June when NightmareEclipse, the pseudonymous name used by a researcher, disclosed it along with code for exploiting it. The vulnerability allows remote attackers to gain administrative control of Windows 10 and Windows 11 machines, even when real-time protection has been disabled. Over the past few months, the anonymous researcher has published a handful of other zero-days that have sent Microsoft scrambling to develop patches.

Writing files of unlimited size

Microsoft said Wednesday that it patched RoguePlanet with an update to the Microsoft Malware Protection Engine, which is used by the Defender antivirus app. The fix will automatically be downloaded and installed without users having to take any action. Wednesday’s update also includes “defense-in-depth updates to help improve security-related features.”

In a post on Thursday, NightmareEclipse said the defense-in-depth additions produce behavior that may allow attackers to exhaust all available space on a hard drive by writing massive amounts of data to it. The newly introduced mitigations create a problem in mpengine.dll, the driver associated with the Microsoft Malware Protection Engine, that in some cases causes it to leak 8 bytes of data when trying to open a file. New functionality in SpyNet, a cloud service that allows Microsoft Security Essentials or Forefront Endpoint Protection to send reports about suspicious software and programs to Microsoft, also plays a role in the potential mass file-writing behavior.

Defender normally places hard limits on how big a file can be written to disk when scanning and quarantining a machine.

“This implementation make [sic] sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space,” the researcher wrote. “I found a small exception to this rule, apparently the spynet functions in mpengine.dll really wants [sic] to keep a local copy of Zone.Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways.”

A Zone.Identifier is a hidden metadata file, sometimes called an alternative data stream, that Windows automatically associates with files downloaded from the Internet or received in email or other external sources. The data stream allows Windows to mark the file’s origin and the security zone it should receive.

NightmareEclipse said that a malicious actor could trigger this behavior using Symmetric Message Block, a communications protocol for sharing files over a local Windows network. The researcher explained:

You will need a special setup to exploit this, a custom SMB server that will be handling requests from Windows Defender is needed, the SMB server should serve a malicious file (a good example is mimikatz executable) followed by a massive ADS file (a good example is mimikatz.exe:Zone.Identifier), in the process of replying to the read requests, at some point the SMB server should never respond to the read request but keep the connection alive. This will cause Defender to hang and keep a lock on the offending files that holds the entire disk space.

Obviously this won’t crash the machine but windows won’t behave properly with a full disk, multiple apps and services crash randomly.

Microsoft didn’t immediately answer questions asking if it could confirm the described behavior existed.

NightmareEclipse and Microsoft have been locked in a heated dispute since at least May, when the researcher said Microsoft silently patched a vulnerability the researcher had privately reported. In the weeks following, the researcher released details and exploit code for a handful of vulnerabilities before Microsoft had a chance to patch them. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a veiled reference to the possibility of pursuing legal action. After a public backlash, Microsoft relented and vowed no such legal action would occur.

Thursday’s salvo suggests that the feud has yet to be resolved.

ما الذي يجب مراقبته

توقعات الذكاء الاصطناعي — احتمالات وليست حقائق

  • Microsoft will release a follow-up patch to address the disk space exhaustion issue.

    مرجح جداً · خلال أيام

  • The dispute between Microsoft and NightmareEclipse will continue.

    مرجح · خلال أسابيع

أسئلة مفتوحة

  • Will Microsoft release a further patch?
  • What is the full extent of the issue?
  • How many users are affected?

مواضيع ذات صلة

This article was originally published by Ars Technica.

أخبار ذات صلة

المزيد حول هذا الموضوعMicrosoft Defender