"Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as 'RoguePlanet,'" the company said — and added that it is "working to provide a high-quality security update that addresses this vulnerability."
Microsoft confirms a Defender privilege-escalation bug and promises a patch
Microsoft has publicly acknowledged work to remediate a zero-day in Microsoft Defender that has been publicly dubbed RoguePlanet. The company assigned the issue the identifier CVE-2026-50656 and rated it with a CVSS score of 7.8, describing it as a privilege escalation flaw in the Microsoft Malware Protection Engine.
Microsoft's statement, quoted above, makes clear the vendor regards the problem as actionable and is developing an update: "We are working to provide a high-quality security update that addresses this vulnerability," the company said. In earlier comments to The Hacker News, Microsoft said it was "actively investigating the validity and potential applicability of these claims."
RoguePlanet (CVE-2026-50656): a race-condition exploit that targets Defender
The exploit published under the name RoguePlanet has been characterized by its author as a race condition that can yield a shell with SYSTEM-level privileges. The security researcher who released the proof-of-concept, using the handle Chaotic Eclipse (aka Nightmare-Eclipse), described the exploit as "a hit or miss" because of its race-condition nature and added that success rates vary across machines: "I have managed to get a 100% success rate on some machines while it struggled to work on others."
In a subsequent update, the researcher said the proof-of-concept "works regardless if real-time protection is on or not" and speculated it "even works in the case of passive mode," though noting they had not fully tested passive mode. Those observed characteristics — variability in success and operation independent of real-time protection — are the specific behavioral claims available so far.
Chaotic Eclipse's disclosure history and context
RoguePlanet is the fourth Microsoft Defender vulnerability publicly disclosed by Chaotic Eclipse. The researcher previously published exploits named BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). According to Microsoft's public statements, those earlier defects have been patched.
The sequence — multiple published Defender vulnerabilities followed by vendor patches — frames RoguePlanet as part of an ongoing disclosure-and-remediation cycle between this researcher and Microsoft. Microsoft said it is investigating the current report while simultaneously working on a security update to address it.
What this means for technologists and security teams, affected enterprises and procurement leaders, and end users
- Technologists and security teams: The researcher's claim that the proof-of-concept can operate regardless of real-time protection will be a focal point for detection and validation efforts; teams will watch for Microsoft’s forthcoming update and any technical guidance or mitigations accompanying it.
- Affected enterprises and procurement leaders: Organizations that deploy Microsoft Defender will be monitoring the release Microsoft described — both for the timing of the security update and for any follow-up advisories that document affected engine versions, mitigation steps, and testing guidance.
- End users and the general public: The researcher’s statement that the exploit can sometimes achieve SYSTEM-level access is the concrete risk signal here; users and administrators alike will rely on Microsoft’s promised patch and any published guidance about when and how to apply it.
Conclusion
Microsoft has acknowledged RoguePlanet as CVE-2026-50656 and said it is working on a remediation; the researcher behind the disclosure says the exploit is a race condition that can sometimes grant SYSTEM privileges and that the proof-of-concept works even with real-time protection enabled. Microsoft previously patched three other Defender flaws disclosed by the same researcher, and it is now investigating RoguePlanet while developing what it calls a "high-quality security update." The immediate, concrete question that remains on the record is the timing and technical scope of that update — Microsoft has said work is underway, but has not published a schedule in the statements on file.
