# Titles: Windows Defender (MsMpEng.exe) Race Condition -> LPE / SYSTEM / Use-After-Free -> Crash # Author: nu11secur1ty # Date: 2026-06-11 # Vendor: Microsoft Corporation # Software: Windows Defender Antivirus (MsMpEng.exe) # Reference: https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads ## Description: A race condition exists between Windows Defender's `MpCleanCallbackFunction` (cleanup routine) and Volume Shadow Copy creation. Successful exploitation results in: 1. LPE (Local Privilege Escalation) to NT AUTHORITY\SYSTEM via `CreateProcessAsUser` 2. Use-after-free condition causing Windows Defender (`MsMpEng.exe`) to crash 3. System remains without antivirus protection for the session The exploit uses: - Fake ISO mount via `OpenVirtualDisk` / `AttachVirtualDisk` - Real-time priority escalation (`REALTIME_PRIORITY_CLASS` + `THREAD_PRIORITY_TIME_CRITICAL`) - Speed racing against Defender's cleanup routine **STATUS: HIGH - Critical (0-Day / LPE)** Exploit: [url](https://gitlab.com/nu11secur1ty/0.git) Demo: [url](https://www.patreon.com/nu11secur1ty/posts/honda-exploit-160798929) Time spent: 9:10:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/