RoguePlanet: the race condition that hands over SYSTEM (CVE-2026-47281)

Yesterday's Patch Tuesday was the largest on record. Today, hours after it shipped, a researcher published a working exploit for a flaw that the patch did not cover, and demonstrated it spawning a command prompt running as SYSTEM on fully patched Windows 10 and 11. The bug is tracked as CVE-2026-47281, nicknamed RoguePlanet, carries a CVSS of 9.6, lives in the Microsoft Defender code path, and is confirmed under active exploitation. It is at least the sixth in a running series of Windows local-privilege-escalation drops from the same researcher this year.

A local privilege escalation rarely makes the front page the way a pre-auth remote bug does, because on its own it cannot get an attacker onto a machine. That framing is exactly backwards for defenders. LPE is the quiet, indispensable second half of nearly every real intrusion, and the speed of this drop is a textbook example of why the patch cycle alone is not a defense. This is a breakdown of how the race works, why the unglamorous local bug is the one that turns a foothold into a domain, and what you do when the exploit outruns the fix.

Why local privilege escalation is the half of the attack that finishes the job

Think about how a real intrusion actually unfolds. An attacker gets initial access through a phishing payload, a poisoned dependency, or a perimeter bug like the VPN flaw making the rounds this week. That foothold almost always lands them in a low-privilege context: a user account, a service account, a sandboxed process. From there, almost nothing interesting is reachable. Dumping credentials, installing a persistent service, tampering with the security agent, reading other users' data, moving to the next host: all of it wants higher privilege than the foothold provides.

That is the job a local privilege escalation does. It takes the attacker from "I am on the box as a nobody" to "I am SYSTEM," the highest local authority on a Windows machine. SYSTEM can read any file, inject into any process, disable defenses, and harvest the cached credentials and tokens that the attacker then replays to move laterally to the domain controller. In the kill chain, the LPE is the hinge between a single compromised endpoint and the whole estate. Threat-intelligence reporting this year measured the handoff from initial access broker to ransomware deployment collapsing to seconds, and that speed is only possible because the privilege-escalation step is reliable and fast. RoguePlanet is a reliable, fast one.

The defect class: time-of-check to time-of-use

RoguePlanet is a time-of-check to time-of-use race condition, abbreviated TOCTOU, in Defender's internal processing logic. The class is old and the shape is always the same. A privileged process checks a condition about a resource, a file path, a handle, an object, and finds it acceptable. Then, a moment later, it acts on that resource trusting that the earlier check still holds. In between the check and the use there is a window. If a lower-privileged attacker can change what the resource points to inside that window, the privileged process performs its trusted action on something the attacker swapped in.

The canonical version is a privileged service that validates a file is safe, then opens and acts on it by name. An attacker who can replace the file, or redirect the path through a link, between the validation and the open gets the privileged service to operate on attacker-controlled content. When the privileged process is a security component that runs as SYSTEM, winning that race converts into SYSTEM-level code execution. The exploit's job is to lose the race never and win it often, which on modern multi-core machines is very achievable: spray the operation, flip the resource at the right instant, and repeat until the window lands in your favor.

The reason TOCTOU bugs are so persistent is that the fix is not a one-line patch to a check. The check is fine. The vulnerability is the gap between checking and using, and closing it correctly means operating on a stable handle to the exact object that was validated, never re-resolving a name, never trusting that the world held still. That is harder than it sounds, which is why these bugs keep recurring across products and years.

Why "fully patched" did not help

The detail that makes RoguePlanet sting is that it works on fully patched Windows 10 and 11, and the exploit landed hours after the largest patch release in the vendor's history. That is the whole lesson of the negative-time-to-exploit era stated plainly. The patch cycle is necessary and you must keep up with it, but it is not a force field. There will always be a window, sometimes weeks, sometimes hours, between a capable researcher or adversary having a working primitive and your fleet being protected against it. A program that depends entirely on "we patch fast" has no answer for the day the exploit ships before the fix.

This is also a reminder that a local bug surfaced only by a customer-side agent or a patch-level review, not by a remote scanner. There is no network packet that reveals whether a given laptop is exposed to a SYSTEM race condition. The honest posture is to say so: this belongs on your endpoint and patch-management discipline, not on a perimeter scan, and pretending a remote tool can see it would be dishonest.

What defenders do when the exploit outruns the patch

You cannot version-scan your way out of a local race condition the day it drops, so you defend the layers around it.

1. Apply the out-of-band fix the moment it ships, and track which endpoints actually took it. For a SYSTEM-level LPE under active exploitation, expect an emergency update and deploy it on a fire schedule. Knowing your real, per-endpoint patch state is the difference between hoping and knowing.
2. Make the foothold expensive in the first place. An LPE needs code already running on the box. Phishing-resistant authentication, application control, and tight handling of the initial-access vectors this week's other stories cover all reduce the chance the attacker ever gets the low-privilege foothold the LPE needs.
3. Protect the security agent's integrity. A bug that gives SYSTEM through the security product is also a path to disabling that product. Tamper protection, and alerting when the agent stops reporting, turns a silent compromise into a visible one.
4. Hunt for the post-escalation behavior. You may not see the race, but you can see what SYSTEM access is used for: credential-dumping access patterns, new services, token manipulation, and lateral authentication from an endpoint that has no business initiating it. Detection at the behavior layer is what catches the intrusion the patch missed.
5. Reduce what one SYSTEM gets you. Local administrator and credential hygiene, so that owning one laptop does not yield a reusable domain credential, is what keeps a single-host LPE from becoming an enterprise event.

What this drop says about the year

The pattern here is not specific to one security product or one researcher. It is that privilege escalation is a permanent, reliable, and increasingly fast commodity in the intrusion economy, and that the patch cycle will keep losing the occasional race against a working exploit. The defensible response is depth: assume the LPE exists, assume the patch will sometimes be late, and build so that the foothold is hard to get, the escalation is hard to use undetected, and a single owned host is a contained event rather than a domain-wide one. We test the layers we can see, every week, the foothold surfaces and the patch state we can verify, and we are honest about the layer we cannot, the local race that lives below the network. The intrusion is a chain. You do not have to break every link, but you should know which links you can prove are holding.