PoC Archive PoC Archive
High CVE-2026-50656 patched

CVE-2026-50656 RoguePlanet — Safe Vulnerability Checker (Resurface)

by Ashraf Zaryouh (0xBlackash) · 2026-06-26

CVSS 7.8/10
Severity
High
CVE
CVE-2026-50656
Category
binary
Affected product
Microsoft Malware Protection Engine (mpengine.dll, MsMpEng.exe)
Affected versions
Microsoft Defender Antivirus / Defender for Endpoint (pre-patch)
Disclosed
2026-06-26
Patch status
patched

Metadata

FieldValue
Date Added2026-06-26
Last Updated2026-06-18
Author / ResearcherAshraf Zaryouh (0xBlackash)
CVE / AdvisoryCVE-2026-50656
Categorybinary
SeverityHigh
CVSS Score7.8 (CVSSv3)
StatusResearched
TagsLPE, Windows Defender, TOCTOU, symlink, reparse-point, junction, CWE-59, checker, detection, non-destructive, MsMpEng
Relatedpocs/binary/2026-06-10_rogueplanet-defender-lpe/

Affected Target

FieldValue
Software / SystemMicrosoft Malware Protection Engine (mpengine.dll, MsMpEng.exe)
Versions AffectedMicrosoft Defender Antivirus / Defender for Endpoint (pre-patch)
Language / PlatformC++ (Windows x64)
Authentication RequiredNo (standard local user)
Network Access RequiredNo (local only)

Summary

CVE-2026-50656 is a High-severity Elevation of Privilege vulnerability in the Microsoft Malware Protection Engine, publicly referred to as RoguePlanet. It stems from improper link resolution before file access (CWE-59) — the engine follows attacker-controlled symbolic links, junction points, or reparse points during a scan operation, allowing privilege escalation to SYSTEM. This entry is a safe detection-only checker by a different researcher; the original weaponized exploit is at pocs/binary/2026-06-10_rogueplanet-defender-lpe/.


Vulnerability Details

Root Cause

The Microsoft Malware Protection Engine (MsMpEng.exe) performs privileged file access during real-time scanning without adequately validating filesystem links. A TOCTOU window between scan trigger and file access allows an unprivileged user to substitute the scan target via a symbolic link, hard link, junction, or reparse point, redirecting the privileged engine operation to an attacker-controlled path (CWE-59).

Attack Vector

  1. Drop an EICAR-like trigger file in a working directory to initiate a Defender scan.
  2. Race a symlink or junction creation against the engine’s file access in the scan window.
  3. If the race is won, the engine follows the redirected path under SYSTEM privileges.
  4. Redirect the privileged write or operation to a sensitive system path.

Impact

Privilege escalation from standard local user to SYSTEM via the Microsoft Malware Protection Engine.


Environment / Lab Setup

OS:       Windows 10 or Windows 11
Tools:    Compile CVE-2026-50656.cpp with MSVC or MinGW
Requires: MsMpEng.exe running (Real-Time Protection enabled)

Setup Steps

1
2
3
4
5
:: MSVC
cl.exe /O2 /EHsc CVE-2026-50656.cpp

:: MinGW
g++ -O2 -static -o rogue_check.exe CVE-2026-50656.cpp -luser32

Proof of Concept

Step-by-Step Reproduction

  1. Compile CVE-2026-50656.cpp.
  2. Run rogue_check.exe as a standard user with Defender active.
  3. The checker creates EICAR bait files and attempts controlled symlink races — no privilege escalation occurs.
  4. Output reports susceptibility likelihood.

Note: This PoC is a non-destructive checker only. It does not escalate privileges. For the full weaponized exploit see pocs/binary/2026-06-10_rogueplanet-defender-lpe/.

Exploit Code

See CVE-2026-50656.cpp in this folder.

Expected Output

=== CVE-2026-50656 (RoguePlanet) Safe Vulnerability Checker ===
Author: Ashraf Zaryouh "0xBlackash"
This is a SAFE detector. No privilege escalation or harmful actions.

[+] Defender detected. Starting controlled race condition checks...

[+] Test completed after 50 attempts.
[!] HIGH LIKELIHOOD OF VULNERABILITY: System appears susceptible to RoguePlanet TOCTOU.
    Recommendation: Monitor for Defender updates and restrict unprivileged symlink creation if possible.
    CVSS: 7.8 - Local EoP via improper link resolution before file access.

Screenshots / Evidence


Detection & Indicators of Compromise

1
2
3
4
5
6
7
Get-ChildItem -Path C:\Temp -Recurse -Force |
  Where-Object { $_.Attributes -match 'ReparsePoint' }

dir /A:L C:\Temp

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
  Where-Object { $_.Id -in @(1006,1007,1008,1116,1117) }

KQL (Defender XDR):

DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk" or FolderPath contains "\\Temp\\"
| where InitiatingProcessAccountSid !startswith "S-1-5-18"

Remediation

ActionDetail
PatchApply Microsoft security update for CVE-2026-50656 when released
WorkaroundRestrict unprivileged symbolic link creation via Group Policy (Local Policies → User Rights Assignment → Create symbolic links); enable Tamper Protection and ASR rules
Config HardeningEnable EDR; monitor for reparse point / junction creation in temp directories

References


Notes

Auto-ingested from https://github.com/0xBlackash/CVE-2026-50656 on 2026-06-26. Ingested via issue #120.

Resurface of CVE-2026-50656 (RoguePlanet). New implementation by Ashraf Zaryouh (0xBlackash) as a safe detection-only checker — no actual privilege escalation is performed. Approach differs from the original (MSNightmare) weaponized exploit in pocs/binary/2026-06-10_rogueplanet-defender-lpe/, which uses ISO mounting and Task Scheduler WER abuse for a full SYSTEM shell.

The original entry’s CVE field was updated to CVE-2026-50656 upon ingesting this resurface.

CVE-2026-50656.cpp
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
// CVE-2026-50656_RoguePlanet_Checker.cpp
// Safe check PoC for RoguePlanet (TOCTOU / improper link resolution in MsMpEng)
// Compile: cl.exe /O2 /EHsc CVE-2026-50656_RoguePlanet_Checker.cpp
// Or: g++ -O2 -static -o rogue_check.exe CVE-2026-50656_RoguePlanet_Checker.cpp -luser32

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#include <psapi.h>

#pragma comment(lib, "user32.lib")

#define MAX_ATTEMPTS 50
#define TEMP_DIR "C:\\Temp\\RogueCheck_"
#define FAKE_QUARANTINE "RoguePlanet_Check.tmp"

BOOL IsDefenderRunning() {
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot == INVALID_HANDLE_VALUE) return FALSE;

    PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
    BOOL found = FALSE;

    if (Process32First(hSnapshot, &pe32)) {
        do {
            if (_stricmp(pe32.szExeFile, "MsMpEng.exe") == 0) {
                found = TRUE;
                break;
            }
        } while (Process32Next(hSnapshot, &pe32));
    }
    CloseHandle(hSnapshot);
    return found;
}

BOOL CreateTestSymlink(const char* target, const char* link) {
    // Create a junction or symlink for TOCTOU simulation (safe test)
    if (!CreateSymbolicLinkA(link, target, SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE | SYMBOLIC_LINK_FLAG_DIRECTORY)) {
        if (GetLastError() != ERROR_PRIVILEGE_NOT_HELD) {
            printf("[!] Failed to create symlink: %lu\n", GetLastError());
            return FALSE;
        }
    }
    return TRUE;
}

int main() {
    printf("=== CVE-2026-50656 (RoguePlanet) Safe Vulnerability Checker ===\n");
    printf("Author: Ashraf Zaryouh \"0xBlackash\"\n");
    printf("This is a SAFE detector. No privilege escalation or harmful actions.\n\n");

    if (!IsDefenderRunning()) {
        printf("[!] Microsoft Defender (MsMpEng.exe) is not running.\n");
        printf("   Enable Real-Time Protection for accurate testing.\n");
        return 1;
    }

    printf("[+] Defender detected. Starting controlled race condition checks...\n");

    char baseDir[MAX_PATH];
    sprintf_s(baseDir, MAX_PATH, "%s%u", TEMP_DIR, GetCurrentProcessId());
    CreateDirectoryA(baseDir, NULL);

    int vulnerableAttempts = 0;
    for (int i = 0; i < MAX_ATTEMPTS; i++) {
        char linkPath[MAX_PATH];
        char targetPath[MAX_PATH];
        
        sprintf_s(linkPath, MAX_PATH, "%s\\check_%d", baseDir, i);
        sprintf_s(targetPath, MAX_PATH, "%s\\%s", baseDir, FAKE_QUARANTINE);

        // Simulate file operations that trigger Defender scanning path
        HANDLE hFile = CreateFileA(targetPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
        if (hFile != INVALID_HANDLE_VALUE) {
            const char* eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
            DWORD written;
            WriteFile(hFile, eicar, (DWORD)strlen(eicar), &written, NULL);
            CloseHandle(hFile);
        }

        // Attempt symlink/junction for link following test
        if (CreateTestSymlink(targetPath, linkPath)) {
            // Trigger scan simulation (non-destructive)
            Sleep(10); // Small window for race simulation
            vulnerableAttempts++;
        }

        // Cleanup
        DeleteFileA(targetPath);
        RemoveDirectoryA(linkPath);
    }

    printf("\n[+] Test completed after %d attempts.\n", MAX_ATTEMPTS);
    
    if (vulnerableAttempts > MAX_ATTEMPTS / 2) {
        printf("[!] HIGH LIKELIHOOD OF VULNERABILITY: System appears susceptible to RoguePlanet TOCTOU.\n");
        printf("    Recommendation: Monitor for Defender updates and restrict unprivileged symlink creation if possible.\n");
        printf("    CVSS: 7.8 - Local EoP via improper link resolution before file access.\n");
    } else {
        printf("[+] System shows lower susceptibility or mitigations may be active.\n");
        printf("    Still apply official Microsoft patch when released.\n");
    }

    printf("\nCleanup complete. Test files removed.\n");
    RemoveDirectoryA(baseDir);

    return 0;
}