
Microsoft’s patch for a Windows Defender zero-day vulnerability may have introduced a new problem: on some systems, the update can write files large enough to completely consume available disk space.
The patch, released on Wednesday, July 8, addresses the RoguePlanet vulnerability — a local privilege escalation exploit that grants attackers SYSTEM-level access on fully patched Windows 10 and Windows 11 machines. RoguePlanet was disclosed publicly by a researcher operating under the alias Nightmare Eclipse (also known as Chaotic Eclipse) and targets a Time-of-Check to Time-of-Use (TOCTOU) race condition in Defender’s real-time scanning engine.
When successfully exploited, RoguePlanet spawns a Windows command prompt running as NT AUTHORITYSYSTEM — the highest privilege level on a Windows machine — allowing an attacker to execute code, install software, and access or delete any data on the system.
The side effect
According to Ars Technica, the patch Microsoft released to fix RoguePlanet may cause Defender to generate large files that grow until they fill the available disk space on affected machines. The exact conditions that trigger the behavior are not yet fully understood, but the issue has been reported across multiple Windows configurations.
The complication is the latest chapter in an escalating confrontation between Microsoft and the researcher behind the disclosures. Nightmare Eclipse has now released at least seven Defender-related exploits since April 2026, including BlueHammer (CVE-2026-33825, patched April), RedSun, UnDefend — a tool that can disable Defender entirely — YellowKey, GreenPlasma, and MiniPlasma.
Microsoft previously warned it would work with law enforcement against actors causing harm, which the researcher cited as the reason for moving exploits off mainstream platforms to a self-hosted Git repository. Three of the earlier exploits were confirmed exploited in the wild before Microsoft could issue patches.
Huntress researchers have documented real-world intrusions using earlier tools from this researcher’s campaign, with BlueHammer, RedSun, and UnDefend observed in active attack chains.
For users, the recommendation remains: install the update to close the RoguePlanet vulnerability, but monitor disk space closely in the days following installation. Microsoft has not yet commented on whether a fix for the patch’s side effect is in development.
Sources: Patch for Windows Defender 0-day could allow attackers to fill hard disk (Ars Technica, July 9, 2026); RoguePlanet: Microsoft Defender zero-day (CybelAngel); Windows Defender 0-Day Exploit RoguePlanet (Cyber Security News)

