RoguePlanet Defender LPE (CVE-2026-50656) — Nightmare/Chaotic Eclipse wave, public PoC, no patch

cve · CVE-2026-50656

Coverage timeline

first 2026-06-19 → last 2026-06-19

Briefs

1 distinct

Sources cited

9 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-06-19CTI Daily Brief — 2026-06-19
updatesCVE assignment + MSRC 'Exploitation More Likely'; update to 2026-W24

Where this entity is cited

updates1

Source distribution

securityweek.com2 (20%)
helpnetsecurity.com1 (10%)
msrc.microsoft.com1 (10%)
thehackernews.com1 (10%)
attack.mitre.org1 (10%)
bleepingcomputer.com1 (10%)
security-hub.ncsc.admin.ch1 (10%)
theregister.com1 (10%)
other1 (10%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
Nightmare Eclipse Windows zero-day drops: YellowKey (BitLocker) and GreenPlasma (CTFMON LPE), public PoC
incidentnightmare-eclipse-windows-zerodaydrops-2026-05×1
Nightmare Eclipse: Microsoft DCU threat, GreenPlasma/MiniPlasma unpatched, July 14 deadline
campaignitem:nightmare-eclipse-microsoft-dcu-threat-greenplasma-miniplasmaaac×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1
RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch
vulnerability-trenditem:nightmare-eclipse-rogueplanet-defender-toctou-lpe-2026-06×1

External references

NVD · cve.org · CISA KEV

All cited sources (10)

Items in briefs about RoguePlanet Defender LPE (CVE-2026-50656) — Nightmare/Chaotic Eclipse wave, public PoC, no patch (1)

UPDATE: Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch

From CTI Daily Brief — 2026-06-19 · published 2026-06-19 · view item permalink →

UPDATE (originally covered in the 2026-W24 weekly summary): The serialised Windows zero-day campaign tracked as Nightmare/Chaotic Eclipse has a new, formally-identified entry: RoguePlanet, the local elevation-of-privilege flaw in the Microsoft Malware Protection Engine (mpengine.dll, used by Defender on all supported Windows 10/11), is now assigned CVE-2026-50656, acknowledged by Microsoft, and rated Exploitation More Likely on the MSRC Exploitability Index (Microsoft MSRC, 2026-06-16; Help Net Security, 2026-06-17).

The exploit abuses a TOCTOU race: during a scan Defender resolves a file path and later reopens it for analysis, and the PoC swaps in a malicious file in that window to obtain a SYSTEM shell. It requires only local low-privilege access, needs no user interaction, and the researcher states it functions regardless of whether real-time protection is enabled — though the race makes it non-deterministic ("hit or miss") (The Hacker News, 2026-06-17). As of 2026-06-18 Microsoft states a fix is in development with no timeline; the public PoC is the in-window delta.