Windows zero‑day leaked

A leaked Windows exploit landed in public before Microsoft’s April 14, 2026 Patch Tuesday, giving attackers a ready-made path to higher privileges on unpatched machines. (bleepingcomputer.com) The exploit, nicknamed BlueHammer, was published on GitHub on April 3 and reported by BleepingComputer on April 6. The bug is a local privilege escalation flaw, which means an attacker who already has a foothold can use it to climb from a normal account to elevated administrator or SYSTEM access. (bleepingcomputer.com) Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer the exploit works and abuses a time-of-check to time-of-use race plus path confusion. He said that access can expose the Security Account Manager database, which stores local password hashes, and lead to full machine compromise. (bleepingcomputer.com) A zero-day is a software flaw with no vendor patch available when details become public. Microsoft’s own guidance says zero-day vulnerabilities are flaws for which no official security update is available yet, which is why public exploit code raises the pressure on defenders before a fix ships. (learn.microsoft.com) Patch Tuesday is Microsoft’s regular monthly security release on the second Tuesday of each month, typically at 10:00 a.m. Pacific Time. In April 2026, that falls on Tuesday, April 14, leaving defenders a narrow window between the leak and the scheduled update cycle. (learn.microsoft.com) Windows privilege escalation bugs have been a recurring problem in Microsoft’s patch stream. Rapid7 said more than half of the 25 Microsoft zero-days exploited in the wild during 2025 were elevation-of-privilege flaws on Windows assets, rather than the rarer wormable remote-code-execution bugs that spread on their own. (rapid7.com) Microsoft’s March 2026 Patch Tuesday already included 83 CVEs, with two vulnerabilities publicly disclosed before fixes were available, according to Tenable. That recent history helps explain why security teams treat a fresh public Windows exploit days before the next release as an immediate patch-validation problem, not a routine advisory. (tenable.com) As of April 13, 2026, the BlueHammer issue was not visible in Microsoft’s public Security Update Guide, and the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog did not show a corresponding entry. That means organizations were largely relying on third-party reporting and their own mitigation plans while waiting for Microsoft’s next release. (portal.msrc.microsoft.com) (cisa.gov) The immediate risk is not that BlueHammer jumps across the internet by itself, but that it can turn a small breach into a deeper one. Once Patch Tuesday lands, the race shifts from finding the fix to testing it, deploying it, and closing the gap the leak opened. (bleepingcomputer.com) (learn.microsoft.com)