Skip to main content

Microsoft Malware Protection Engine

3 CVEs product

Monthly

CVE-2026-55012 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run arbitrary code by having a maliciously crafted file processed by the scanning engine. The flaw stems from an integer overflow (CWE-190) that corrupts memory during scanning, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.

Buffer Overflow Microsoft Integer Overflow Microsoft Malware Protection Engine
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-55011 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.

Authentication Bypass Microsoft Integer Overflow Microsoft Malware Protection Engine
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-50656 HIGH PATCH NEWS Exploit Likely This Week

Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.

Microsoft Information Disclosure Microsoft Malware Protection Engine
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.4%
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run arbitrary code by having a maliciously crafted file processed by the scanning engine. The flaw stems from an integer overflow (CWE-190) that corrupts memory during scanning, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.

Buffer Overflow Microsoft Integer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.

Authentication Bypass Microsoft Integer Overflow +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Likely This Week

Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.

Microsoft Information Disclosure Microsoft Malware Protection Engine
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy