UPDATE: Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch

UPDATE (originally covered in the 2026-W24 weekly summary): The serialised Windows zero-day campaign tracked as Nightmare/Chaotic Eclipse has a new, formally-identified entry: RoguePlanet, the local elevation-of-privilege flaw in the Microsoft Malware Protection Engine (mpengine.dll, used by Defender on all supported Windows 10/11), is now assigned CVE-2026-50656, acknowledged by Microsoft, and rated Exploitation More Likely on the MSRC Exploitability Index (Microsoft MSRC, 2026-06-16; Help Net Security, 2026-06-17).

The exploit abuses a TOCTOU race: during a scan Defender resolves a file path and later reopens it for analysis, and the PoC swaps in a malicious file in that window to obtain a SYSTEM shell. It requires only local low-privilege access, needs no user interaction, and the researcher states it functions regardless of whether real-time protection is enabled — though the race makes it non-deterministic ("hit or miss") (The Hacker News, 2026-06-17). As of 2026-06-18 Microsoft states a fix is in development with no timeline; the public PoC is the in-window delta.