CVE-2026-50656 RoguePlanet — Safe Vulnerability Checker (Resurface)
by Ashraf Zaryouh (0xBlackash) · 2026-06-26
- Severity
- High
- CVE
- CVE-2026-50656
- Category
- binary
- Affected product
- Microsoft Malware Protection Engine (mpengine.dll, MsMpEng.exe)
- Affected versions
- Microsoft Defender Antivirus / Defender for Endpoint (pre-patch)
- Disclosed
- 2026-06-26
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-26 |
| Last Updated | 2026-06-18 |
| Author / Researcher | Ashraf Zaryouh (0xBlackash) |
| CVE / Advisory | CVE-2026-50656 |
| Category | binary |
| Severity | High |
| CVSS Score | 7.8 (CVSSv3) |
| Status | Researched |
| Tags | LPE, Windows Defender, TOCTOU, symlink, reparse-point, junction, CWE-59, checker, detection, non-destructive, MsMpEng |
| Related | pocs/binary/2026-06-10_rogueplanet-defender-lpe/ |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Malware Protection Engine (mpengine.dll, MsMpEng.exe) |
| Versions Affected | Microsoft Defender Antivirus / Defender for Endpoint (pre-patch) |
| Language / Platform | C++ (Windows x64) |
| Authentication Required | No (standard local user) |
| Network Access Required | No (local only) |
Summary
CVE-2026-50656 is a High-severity Elevation of Privilege vulnerability in the Microsoft Malware Protection Engine, publicly referred to as RoguePlanet. It stems from improper link resolution before file access (CWE-59) — the engine follows attacker-controlled symbolic links, junction points, or reparse points during a scan operation, allowing privilege escalation to SYSTEM. This entry is a safe detection-only checker by a different researcher; the original weaponized exploit is at pocs/binary/2026-06-10_rogueplanet-defender-lpe/.
Vulnerability Details
Root Cause
The Microsoft Malware Protection Engine (MsMpEng.exe) performs privileged file access during real-time scanning without adequately validating filesystem links. A TOCTOU window between scan trigger and file access allows an unprivileged user to substitute the scan target via a symbolic link, hard link, junction, or reparse point, redirecting the privileged engine operation to an attacker-controlled path (CWE-59).
Attack Vector
- Drop an EICAR-like trigger file in a working directory to initiate a Defender scan.
- Race a symlink or junction creation against the engine’s file access in the scan window.
- If the race is won, the engine follows the redirected path under SYSTEM privileges.
- Redirect the privileged write or operation to a sensitive system path.
Impact
Privilege escalation from standard local user to SYSTEM via the Microsoft Malware Protection Engine.
Environment / Lab Setup
OS: Windows 10 or Windows 11
Tools: Compile CVE-2026-50656.cpp with MSVC or MinGW
Requires: MsMpEng.exe running (Real-Time Protection enabled)
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
- Compile
CVE-2026-50656.cpp. - Run
rogue_check.exeas a standard user with Defender active. - The checker creates EICAR bait files and attempts controlled symlink races — no privilege escalation occurs.
- Output reports susceptibility likelihood.
Note: This PoC is a non-destructive checker only. It does not escalate privileges. For the full weaponized exploit see
pocs/binary/2026-06-10_rogueplanet-defender-lpe/.
Exploit Code
See
CVE-2026-50656.cppin this folder.
Expected Output
=== CVE-2026-50656 (RoguePlanet) Safe Vulnerability Checker ===
Author: Ashraf Zaryouh "0xBlackash"
This is a SAFE detector. No privilege escalation or harmful actions.
[+] Defender detected. Starting controlled race condition checks...
[+] Test completed after 50 attempts.
[!] HIGH LIKELIHOOD OF VULNERABILITY: System appears susceptible to RoguePlanet TOCTOU.
Recommendation: Monitor for Defender updates and restrict unprivileged symlink creation if possible.
CVSS: 7.8 - Local EoP via improper link resolution before file access.
Screenshots / Evidence
Detection & Indicators of Compromise
| |
KQL (Defender XDR):
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk" or FolderPath contains "\\Temp\\"
| where InitiatingProcessAccountSid !startswith "S-1-5-18"
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft security update for CVE-2026-50656 when released |
| Workaround | Restrict unprivileged symbolic link creation via Group Policy (Local Policies → User Rights Assignment → Create symbolic links); enable Tamper Protection and ASR rules |
| Config Hardening | Enable EDR; monitor for reparse point / junction creation in temp directories |
References
- CVE-2026-50656
- Source repository (0xBlackash/CVE-2026-50656)
- Original weaponized PoC
- MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation), T1548 (Abuse Elevation Control Mechanism)
Notes
Auto-ingested from https://github.com/0xBlackash/CVE-2026-50656 on 2026-06-26. Ingested via issue #120.
Resurface of CVE-2026-50656 (RoguePlanet). New implementation by Ashraf Zaryouh (0xBlackash) as a safe detection-only checker — no actual privilege escalation is performed. Approach differs from the original (MSNightmare) weaponized exploit in pocs/binary/2026-06-10_rogueplanet-defender-lpe/, which uses ISO mounting and Task Scheduler WER abuse for a full SYSTEM shell.
The original entry’s CVE field was updated to CVE-2026-50656 upon ingesting this resurface.
| |