Share
## https://sploitus.com/exploit?id=EDB-ID:52612
# Titles: Windows Defender (MsMpEng.exe) - Race Condition 
# Author: nu11secur1ty
# Date: 2026-06-11
# Vendor: Microsoft Corporation
# Software: Windows Defender Antivirus (MsMpEng.exe)
# Reference:
https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads

## Description:
A race condition exists between Windows Defender's
`MpCleanCallbackFunction` (cleanup routine) and Volume Shadow Copy
creation. Successful exploitation results in:

1. LPE (Local Privilege Escalation) to NT AUTHORITY\SYSTEM via
`CreateProcessAsUser`
2. Use-after-free condition causing Windows Defender (`MsMpEng.exe`) to
crash
3. System remains without antivirus protection for the session

The exploit uses:
- Fake ISO mount via `OpenVirtualDisk` / `AttachVirtualDisk`
- Real-time priority escalation (`REALTIME_PRIORITY_CLASS` +
`THREAD_PRIORITY_TIME_CRITICAL`)
- Speed racing against Defender's cleanup routine

**STATUS: HIGH - Critical (0-Day / LPE)**

Exploit:
[url](https://gitlab.com/nu11secur1ty/0.git)

Demo:
[url](https://www.patreon.com/nu11secur1ty/posts/honda-exploit-160798929)

Time spent:
9:10:00

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/
-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>