Researcher alleges Microsoft Defender patch creates denial-of-service risk via disk exhaustion
A disputed zero-day fix for Windows Defender may cause the antivirus engine to write unbounded data to disk, according to the reporting researcher.
1 source · single source
- Microsoft patched a zero-day (CVE-2026-50656) in the Defender engine on July 9, 2026.
- The researcher who disclosed the flaw now says the patch can cause Defender to fill available disk space with cached files.
- Exploitation would require a malicious SMB server and could degrade or crash Windows due to a full disk.
Microsoft released an update on July 9, 2026 to address CVE-2026-50656, a zero-day in the Microsoft Malware Protection Engine used by Windows Defender. The patch was delivered automatically to affected systems.
The anonymous researcher NightmareEclipse, who publicly disclosed the vulnerability in June, now alleges the patch introduces a new behavior: Defender may write unbounded amounts of data to disk while processing Zone.Identifier alternative data streams, potentially exhausting available storage.
NightmareEclipse describes a scenario where a malicious actor operates a custom SMB server that serves a file (e.g., mimikatz.exe) followed by a large Zone.Identifier stream. By keeping the SMB connection alive without completing the read request, Defender holds locks on the files, causing disk space to be consumed until the drive is full.
The researcher notes that Windows Defender normally enforces hard limits on file sizes during scanning and quarantine to prevent disk exhaustion, but claims the SpyNet-related functionality in mpengine.dll bypasses these limits for Zone.Identifier streams.
Microsoft has not publicly confirmed the behavior described by NightmareEclipse. The company did not immediately respond to questions about the issue.
The dispute between NightmareEclipse and Microsoft dates back at least to May 2026, when the researcher accused Microsoft of silently patching a privately reported vulnerability without credit or coordinated disclosure. Subsequent releases of exploit code and additional zero-days by NightmareEclipse prompted Microsoft to publicly criticize the disclosure approach and hint at possible legal action before walking back the threat amid public backlash.
- Jul 9, 2026 · Schneier on Security
AI-generated text may erode natural speech patterns and human discourse, essay argues
Trust75 - Jul 8, 2026 · Schneier on Security
Five Eyes agencies warn AI models pose growing cybersecurity risks, urge faster defense adaptation
Trust74 - Jul 8, 2026 · Ars Technica — Technology Lab
Researchers demonstrate new prompt-injection attack that exploits LLM hallucinations to build botnets at scale
Trust79