Skip to content
Safety · Jul 10, 2026

Researcher alleges Microsoft Defender patch creates denial-of-service risk via disk exhaustion

A disputed zero-day fix for Windows Defender may cause the antivirus engine to write unbounded data to disk, according to the reporting researcher.

Trust72
HypeSome hype

1 source · single source

ShareXLinkedInEmail
TL;DR
  • Microsoft patched a zero-day (CVE-2026-50656) in the Defender engine on July 9, 2026.
  • The researcher who disclosed the flaw now says the patch can cause Defender to fill available disk space with cached files.
  • Exploitation would require a malicious SMB server and could degrade or crash Windows due to a full disk.

Microsoft released an update on July 9, 2026 to address CVE-2026-50656, a zero-day in the Microsoft Malware Protection Engine used by Windows Defender. The patch was delivered automatically to affected systems.

The anonymous researcher NightmareEclipse, who publicly disclosed the vulnerability in June, now alleges the patch introduces a new behavior: Defender may write unbounded amounts of data to disk while processing Zone.Identifier alternative data streams, potentially exhausting available storage.

NightmareEclipse describes a scenario where a malicious actor operates a custom SMB server that serves a file (e.g., mimikatz.exe) followed by a large Zone.Identifier stream. By keeping the SMB connection alive without completing the read request, Defender holds locks on the files, causing disk space to be consumed until the drive is full.

The researcher notes that Windows Defender normally enforces hard limits on file sizes during scanning and quarantine to prevent disk exhaustion, but claims the SpyNet-related functionality in mpengine.dll bypasses these limits for Zone.Identifier streams.

Microsoft has not publicly confirmed the behavior described by NightmareEclipse. The company did not immediately respond to questions about the issue.

The dispute between NightmareEclipse and Microsoft dates back at least to May 2026, when the researcher accused Microsoft of silently patching a privately reported vulnerability without credit or coordinated disclosure. Subsequent releases of exploit code and additional zero-days by NightmareEclipse prompted Microsoft to publicly criticize the disclosure approach and hint at possible legal action before walking back the threat amid public backlash.

Sources
  1. 01Ars Technica — Technology LabPatch for Windows Defender 0-day could allow attackers to fill hard disk
Also on Safety

Stories may contain errors. Dispatch is assembled with AI assistance and curated by human editors; despite the trust-score filter, mistakes happen. We correct publicly — every article links to its revision history. Nothing here is financial, legal, or medical advice. Verify before relying on any claim.

© 2026 Dispatch. No ads. No sponsorships. No paid placement. Reader-supported via Ko-fi.

Built by a person who cares about honest AI news.