How is CVE-2026-50656 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin the attack. Victim interaction (not-required): The exploit executes without any action from another user on the system. Attack complexity (info): The exploit is reliable and requires no special race conditions or environmental configuration; it succeeds consistently given local access.

What is the impact of CVE-2026-50656?

A successful attacker reads any file on the host, including credential stores, secrets, and application data. A successful attacker writes or modifies any file on the host, including system binaries and security tool configurations. A successful attacker crashes or terminates any process, including the Defender engine itself, removing malware detection from the host. Combined read, write, and availability control means the attacker can effectively own the host, pivot to adjacent systems, or establish persistence.

Back to search

HIGHCVE-2026-50656Published 2026-06-16Modified 2026-06-17CNA microsoft

CVE-2026-50656: Microsoft Defender Elevation of Privilege Vulnerability

Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an elevation of privilege vulnerability in the Microsoft Malware Protection Engine, the core scanning component of Microsoft Defender. An attacker who already has a low-privilege account on the affected host can exploit this locally, without any network access or user interaction, to gain full control over the system. Successful exploitation gives the attacker high-level read, write, and execution capabilities across the host. No fix version has been published yet; HarborGuard tracks this advisory and will flag a patched-image rebuild the moment Microsoft ships a security update.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Microsoft Malware Protection Engine. Any image carrying an affected version of the engine will surface in scan results automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 (High) and weighting it against each customer organization's compliance policy to determine urgency. Routed findings land in the inbox of the team or individual designated within each customer org's routing configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Microsoft advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream security update is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin the attack.
Victim interactionNot required
The exploit executes without any action from another user on the system.
Attack complexityDetail
The exploit is reliable and requires no special race conditions or environmental configuration; it succeeds consistently given local access.

Blast Radius

A successful attacker reads any file on the host, including credential stores, secrets, and application data.
A successful attacker writes or modifies any file on the host, including system binaries and security tool configurations.
A successful attacker crashes or terminates any process, including the Defender engine itself, removing malware detection from the host.
Combined read, write, and availability control means the attacker can effectively own the host, pivot to adjacent systems, or establish persistence.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50656 is active across all scanning pipelines, matching any image that bundles the Microsoft Malware Protection Engine against the published advisory. Because Microsoft has not yet released a security update, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle; once a fix version is published, a patched rebuild will become available immediately, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include restricting local login access to the affected hosts, enforcing least-privilege policies to limit which accounts can reach the Defender engine process, and applying network-policy isolation to reduce attacker mobility if a lower-severity foothold is established elsewhere in the environment.

See how HarborGuard automates this

Affected packages

Microsoft / Microsoft Malware Protection Engine
-

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C

References

Microsoft Defender Elevation of Privilege Vulnerability

Metrics

Get notified