CVE-2026-50656 Overview
CVE-2026-50656 is an elevation of privilege vulnerability in the Microsoft Malware Protection Engine (MMPE), the core scanning component used by Microsoft Defender. The flaw, publicly tracked as RoguePlanet, allows a local authenticated attacker to gain elevated privileges by abusing link resolution behavior in the engine. Microsoft has acknowledged the issue and is working on a security update. The vulnerability is classified under [CWE-59: Improper Link Resolution Before File Access (Link Following)], indicating that the engine can be coerced into operating on attacker-controlled symbolic links or junctions. Because MMPE runs at high privilege on Windows systems, successful exploitation undermines a control that is frequently relied upon as a last line of defense.
Critical Impact
A local attacker with low privileges can leverage link-following behavior in Microsoft Defender's scanning engine to achieve elevation of privilege, with high impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Malware Protection Engine (microsoft:malware_protection_engine)
- Microsoft Defender Antivirus deployments that ship MMPE
- Windows endpoints and servers using Defender as the active antimalware solution
Discovery Timeline
- 2026-06-16 - CVE-2026-50656 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-50656
Vulnerability Analysis
The vulnerability resides in how the Microsoft Malware Protection Engine handles file system links during scanning and quarantine operations. MMPE runs with SYSTEM-level privileges to inspect, move, and remediate files anywhere on disk. When the engine accesses a path that a low-privileged user can influence, it does not adequately validate whether the target is a symbolic link, junction, or hard link before performing privileged file operations. An attacker who can stage filesystem objects in a writable location can redirect those operations to arbitrary paths. The result is privileged file creation, overwrite, or deletion, which is a known building block for full local privilege escalation on Windows.
Root Cause
The root cause is improper link resolution before file access [CWE-59]. MMPE operates on file paths without enforcing a check-then-use guarantee that the target object is the same one originally evaluated. The high attack complexity reflected in the vector indicates the attacker must win a timing window or arrange specific filesystem state, consistent with a Time-of-Check Time-of-Use (TOCTOU) pattern against link reparse points.
Attack Vector
Exploitation requires local access and low privileges. The attacker places a crafted file or directory structure that Defender will scan or remediate, then swaps it for a reparse point pointing at a privileged target such as a file under C:\Windows\System32 or a service binary path. When MMPE proceeds with the privileged operation, the engine writes to or deletes the redirected target, enabling code execution as SYSTEM. No user interaction is required.
The public RoguePlanet project referenced from the GitHub RoguePlanet Project documents the technique. Refer to the Microsoft CVE-2026-50656 Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-50656
Indicators of Compromise
- Creation of NTFS junctions, symbolic links, or hard links in user-writable directories that resolve into protected paths such as C:\Windows\System32 or C:\Program Files.
- Unexpected writes, deletions, or quarantine actions on system binaries performed by MsMpEng.exe or MpCmdRun.exe.
- New or modified files under privileged paths whose owner is SYSTEM but whose content originates from a low-privileged user directory.
- Repeated Defender scan or remediation events targeting attacker-controlled paths immediately before privileged file changes.
Detection Strategies
- Monitor process and file telemetry for MsMpEng.exe performing file operations on reparse points originating in user-writable locations.
- Alert on creation of junctions or symlinks (CreateSymbolicLink, mklink /J, DeviceIoControl with FSCTL_SET_REPARSE_POINT) by non-administrative processes.
- Correlate Defender operational logs (Microsoft-Windows-Windows Defender/Operational) with subsequent privileged file modifications.
- Hunt for new services, scheduled tasks, or DLLs appearing in system directories shortly after Defender scan events triggered by a standard user.
Monitoring Recommendations
- Enable Sysmon FileCreate, FileCreateStreamHash, and reparse point related events on endpoints, and forward to a centralized SIEM.
- Track integrity of critical system directories using file integrity monitoring with SYSTEM-owned baselines.
- Review Defender platform and engine versions across the fleet to confirm rapid adoption of the fix once released.
How to Mitigate CVE-2026-50656
Immediate Actions Required
- Apply the Microsoft Malware Protection Engine update as soon as it is published in the Microsoft CVE-2026-50656 Advisory.
- Confirm that automatic updates for Defender definitions and platform components are enabled on all endpoints and servers.
- Restrict local logon and interactive access on high-value systems to limit the population of users able to stage an exploit.
- Audit existing junctions and symbolic links in user-writable directories and remove anomalous reparse points.
Patch Information
Microsoft has acknowledged CVE-2026-50656 and is preparing a security update for the Microsoft Malware Protection Engine. At publication time, no fixed engine version was listed. MMPE updates are delivered automatically through Defender platform updates, Windows Update, and WSUS. Administrators should verify the engine version after deployment using Get-MpComputerStatus and confirm it meets or exceeds the version published in the final advisory.
Workarounds
- No vendor-supplied workaround is currently documented; rely on least privilege and reduced local attack surface until the patch ships.
- Enforce Attack Surface Reduction rules and tamper protection to limit local processes that can manipulate Defender-scanned paths.
- Constrain the ability of standard users to create reparse points by reviewing SeCreateSymbolicLinkPrivilege assignments through Group Policy.
- Use application control (WDAC or AppLocker) to block unauthorized binaries that may be used to stage the link-following primitive.
# Verify Microsoft Defender engine and platform versions on Windows
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AntivirusSignatureVersion, NISEngineVersion
# Force a Defender signature and engine update
Update-MpSignature
# Review SeCreateSymbolicLinkPrivilege assignment via secedit
secedit /export /cfg C:\Temp\secpol.cfg
findstr /I "SeCreateSymbolicLinkPrivilege" C:\Temp\secpol.cfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

