CVE-2026-50656

HIGH

Microsoft Defender Elevation of Privilege Vulnerability

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-50656. PoCs published by 0xBlackash.

AI-analyzed exploit summary The repository contains a C++ tool that checks for the presence of CVE-2026-50656, a TOCTOU vulnerability in Microsoft Defender's MsMpEng engine, by simulating race conditions with symbolic links. It does not exploit the vulnerability but detects potential susceptibility.

Description

Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.

Exploits (1)

github SCANNER

by 0xBlackash · c++poc

https://github.com/0xBlackash/CVE-2026-50656

View Code ZIP pw:eip

The repository contains a C++ tool that checks for the presence of CVE-2026-50656, a TOCTOU vulnerability in Microsoft Defender's MsMpEng engine, by simulating race conditions with symbolic links. It does not exploit the vulnerability but detects potential susceptibility.

Classification

Scanner 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Microsoft Malware Protection Engine (MsMpEng.exe)

No auth needed

Prerequisites: Microsoft Defender running with Real-Time Protection enabled · Ability to create symbolic links

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Jun 18, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://github.com/MSNightmare/RoguePlanet

View Writeup ZIP pw:eip

Vendor Advisory vendor-advisory patch

Microsoft Defender Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656

Scores

CVSS v3 7.8

EPSS 0.0034

EPSS Percentile 25.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Products (2)

microsoft/malware_protection_engine

Microsoft/Microsoft Malware Protection Engine -

Published Jun 16, 2026

Tracked Since Jun 17, 2026