Windows Defender (MsMpEng.exe) - Race Condition
Windows Defender (MsMpEng.exe) - Race Condition
Indicators of Compromise
- exploit-code: # Titles: Windows Defender (MsMpEng.exe) - Race Condition # Author: nu11secur1ty # Date: 2026-06-11 # Vendor: Microsoft Corporation # Software: Windows Defender Antivirus (MsMpEng.exe) # Reference: https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads ## Description: A race condition exists between Windows Defender's `MpCleanCallbackFunction` (cleanup routine) and Volume Shadow Copy creation. Successful exploitation results in: 1. LPE (Local Privilege Escalation) to NT AUTHORITY\SYSTEM via `CreateProcessAsUser` 2. Use-after-free condition causing Windows Defender (`MsMpEng.exe`) to crash 3. System remains without antivirus protection for the session The exploit uses: - Fake ISO mount via `OpenVirtualDisk` / `AttachVirtualDisk` - Real-time priority escalation (`REALTIME_PRIORITY_CLASS` + `THREAD_PRIORITY_TIME_CRITICAL`) - Speed racing against Defender's cleanup routine **STATUS: HIGH - Critical (0-Day / LPE)** Exploit: [url](https://gitlab.com/nu11secur1ty/0.git) Demo: [url](https://www.patreon.com/nu11secur1ty/posts/honda-exploit-160798929) Time spent: 9:10:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/ -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Windows Defender (MsMpEng.exe) - Race Condition
Description
Windows Defender (MsMpEng.exe) - Race Condition
Technical Details
- Vendor
- Microsoft Corporation
- Application
- Windows Defender Antivirus
- Author
- nu11secur1ty
- Edb Id
- 52612
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for Windows Defender (MsMpEng.exe) - Race Condition
# Titles: Windows Defender (MsMpEng.exe) - Race Condition # Author: nu11secur1ty # Date: 2026-06-11 # Vendor: Microsoft Corporation # Software: Windows Defender Antivirus (MsMpEng.exe) # Reference: https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads ## Description: A race condition exists between Windows Defender's `MpCleanCallbackFunction` (cleanup routine) and Volume Shadow Copy creation. Successful exploitation results in: 1. LPE (Local Privilege Escalation) to NT AUTHORI... (1387 more characters)
Threat ID: 6a4c4f4d27e9c797199c909f
Added to database: 07/07/2026, 00:58:53 UTC
Last updated: 07/07/2026, 00:58:53 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.