Skip to main content

Microsoft Defender CVE-2026-50656

| EUVDEUVD-2026-37141 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-16 microsoft GHSA-hgx9-224c-3p2x
7.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-priv attacker (AV:L/PR:L) must win a filesystem race to abuse link following (AC:H), and the SYSTEM-level engine yields total C/I/A within one system (S:U).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 09, 2026 - 00:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Jul 09, 2026 - 00:22 NVD
7.8 (HIGH) 7.0 (HIGH)
Analysis Generated
Jun 16, 2026 - 18:56 vuln.today
CVE Published
Jun 16, 2026 - 18:01 cve.org
HIGH 7.8

DescriptionNVD

Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.

AnalysisAI

Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.

Technical ContextAI

The Microsoft Malware Protection Engine (mpengine.dll) is the common scanning and detection component behind Microsoft Defender Antivirus, Security Essentials, and related Microsoft anti-malware products; it runs as a highly privileged service so it can inspect and quarantine files anywhere on disk. The CWE-59 root cause (improper link resolution / link following) means the engine can be tricked into following an attacker-controlled symbolic link, junction, or hard link so that a privileged file operation - such as writing, moving, or acting on a quarantined/scanned file - is redirected to a location the attacker could not otherwise reach. The affected CPE is cpe:2.3:a:microsoft:microsoft_malware_protection_engine, confirming the flaw lives in the shared engine rather than a specific Defender UI build. Symlink-following classes of bugs in privileged antivirus services are a well-known local privilege-escalation primitive because the security product itself supplies the high-privilege context.

RemediationAI

Patch available per vendor advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656); no discrete fixed engine version number is published in the provided data because the Malware Protection Engine updates automatically. The primary action is to ensure the engine self-updates: confirm systems are running an engine version at or above the one Microsoft ships for this CVE by verifying Defender platform/engine currency (for example via 'Get-MpComputerStatus' and checking AMEngineVersion, or Update-MpSignature to force an update), and confirm managed/air-gapped endpoints that pull engine updates through WSUS/SCCM/Intune actually received the new engine. As a compensating control on multi-user hosts while confirming the engine version, restrict interactive local logon of low-privileged and untrusted users (this bug requires local low-privileged access, so limiting who can run code locally directly reduces exposure) - the trade-off is reduced shared-host usability. Since exploitation depends on filesystem link manipulation, monitoring for symlink/junction creation and unexpected mpengine file operations can aid detection, though it does not prevent the flaw.

Share

CVE-2026-50656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy