Microsoft Malware Protection Engine update leaks 8 bytes per SpyNet call in mpengine.dll
A defense-in-depth addition in the CVE-2026-50656 patch produces an 8-byte leak in mpengine.dll that SpyNet uses to cache unbounded Zone.Identifier files. The change removes prior size limits on certain cache operations, creating a practical disk-exhaustion vector. Affected systems require immediate monitoring or rollback until a corrected engine ships.
Microsoft released the patch on Wednesday to close the RoguePlanet zero-day in the Malware Protection Engine used by Defender. The update adds defense-in-depth changes that NightmareEclipse identified as introducing an 8-byte leak when mpengine.dll attempts file opens under specific SpyNet conditions. Automatic deployment began without user action and includes additional security feature updates.
The researcher demonstrated that the new code path bypasses Defender's normal file-size quarantine limits. SpyNet reporting functions continue to cache local copies of Zone.Identifier alternate data streams regardless of size, allowing repeated writes that accumulate until storage is full. This occurs even when real-time protection is disabled and affects both Windows 10 and 11.
The flaw connects to prior NightmareEclipse disclosures that forced rapid Microsoft responses. Operational impact includes silent consumption of system and user data partitions within weeks of exposure on unpatched endpoints. Microsoft has not issued a follow-up advisory addressing the side effect, leaving administrators to monitor disk metrics or block the update pending a revised engine build.
Microsoft: revised Malware Protection Engine build correcting the 8-byte leak ships to 80 percent of Windows endpoints within 45 days or disk-exhaustion reports exceed 5 percent of monitored Defender fleets.
Sources (3)
- [1]Microsoft Malware Protection Engine update notes(https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/engine-update-history)
- [2]NightmareEclipse disclosure thread(https://github.com/NightmareEclipse/CVE-2026-50656)
- [3]CVE-2026-50656 record(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50656)