<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Windows Defender Antivirus (MsMpEng.exe) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/windows-defender-antivirus-msmpeng.exe/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 13:22:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/windows-defender-antivirus-msmpeng.exe/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows Defender Race Condition (EDB-52612) Leads to Local Privilege Escalation and AV Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-windows-defender-race-condition-lpe/</link><pubDate>Mon, 06 Jul 2026 13:22:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-windows-defender-race-condition-lpe/</guid><description>A critical local race condition (EDB-52612) exists in Microsoft Windows Defender's MsMpEng.exe, specifically between its cleanup routine (`MpCleanCallbackFunction`) and Volume Shadow Copy creation, allowing Local Privilege Escalation (LPE) to NT AUTHORITY\SYSTEM and temporary disabling of antivirus protection through a use-after-free vulnerability, with a public exploit demonstrating the risk.</description><content:encoded><![CDATA[<p>A critical local race condition vulnerability (EDB-52612) affecting Microsoft Windows Defender's scanning engine (MsMpEng.exe) has been publicly disclosed on Exploit-DB. Published by nu11secur1ty on July 6, 2026, this flaw exists between Defender's cleanup routine (<code>MpCleanCallbackFunction</code>) and Volume Shadow Copy creation. Successful exploitation, demonstrated by a public Proof-of-Concept, grants local privilege escalation (LPE) to <code>NT AUTHORITY\SYSTEM</code> via <code>CreateProcessAsUser</code> and can trigger a use-after-free condition, causing MsMpEng.exe to crash. This not only elevates attacker privileges but also leaves the compromised system temporarily without antivirus protection. The availability of a working exploit elevates the immediate risk for organizations running unpatched Windows systems, requiring immediate attention from defenders.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial local access to a vulnerable Windows system, typically through other means (e.g., social engineering, exploiting a user-level application vulnerability).</li>
<li>The attacker executes a malicious process that leverages Windows API calls like <code>OpenVirtualDisk</code> and <code>AttachVirtualDisk</code> to mount a fake ISO image.</li>
<li>The malicious process elevates its own or specific thread priorities to <code>REALTIME_PRIORITY_CLASS</code> and <code>THREAD_PRIORITY_TIME_CRITICAL</code> to enhance its ability to win race conditions.</li>
<li>The attacker initiates operations designed to trigger a race condition between Windows Defender's <code>MpCleanCallbackFunction</code> (cleanup routine) and the system's Volume Shadow Copy creation.</li>
<li>During the race, the attacker manipulates file system operations to substitute or plant malicious files in a location Defender is processing for cleanup.</li>
<li>The vulnerability allows the malicious process to execute code or manipulate system services using <code>CreateProcessAsUser</code> with <code>NT AUTHORITY\SYSTEM</code> privileges.</li>
<li>The system process <code>MsMpEng.exe</code> experiences a use-after-free condition and crashes, leaving the system temporarily without active antivirus protection.</li>
<li>The attacker maintains <code>NT AUTHORITY\SYSTEM</code> privileges, enabling full control over the compromised system, persistence, and further malicious activities without AV detection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of this race condition results in an attacker achieving <code>NT AUTHORITY\SYSTEM</code> privileges on the compromised Windows host. This complete control allows for arbitrary code execution, data exfiltration, deployment of further malware, and establishment of persistence. Additionally, the exploit can cause the <code>MsMpEng.exe</code> process to crash due to a use-after-free condition, temporarily disabling Windows Defender's real-time protection and leaving the system vulnerable to subsequent attacks without immediate antivirus safeguards.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the official Microsoft security update as soon as it becomes available to patch the race condition vulnerability (EDB-52612) in Windows Defender (MsMpEng.exe).</li>
<li>Implement advanced API monitoring on endpoints for suspicious calls to <code>OpenVirtualDisk</code> or <code>AttachVirtualDisk</code> from non-system processes, particularly when observed alongside rapid process priority changes, to potentially identify exploitation attempts.</li>
<li>Focus endpoint detection on <code>CreateProcessAsUser</code> calls where the resulting process runs as <code>NT AUTHORITY\SYSTEM</code> but is spawned by an unusual parent process or exhibits suspicious command-line arguments.</li>
<li>Configure monitoring for crashes of <code>MsMpEng.exe</code> (e.g., via event logs) that are not attributed to legitimate system reconfigurations or updates, as this could indicate a successful use-after-free exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>local-privilege-escalation</category><category>race-condition</category><category>windows-defender</category><category>exploit-db</category><category>vulnerability</category><category>endpoint</category></item></channel></rss>