New Windows Defender local 0‑day surfaced

A Windows account with almost no rights can apparently turn itself into the machine’s top authority with a new exploit called BlueHammer, and working code was posted publicly on April 3, 2026. Multiple security outlets say the bug is still unpatched as of April 9. (bleepingcomputer.com) To follow this story, start with what “local” means. BlueHammer is not a bug that reaches in from the internet by itself; it needs someone to already have a foothold on the computer, like a malicious program, a stolen user session, or a compromised employee account. (kudelskisecurity.com) The prize is a Windows identity called SYSTEM, short for NT AUTHORITY\SYSTEM. That account sits above normal administrators and can read protected files, install services, and control core parts of the operating system. (techrepublic.com) BlueHammer appears to target Microsoft Defender’s signature update process, which is the routine that refreshes the malware definitions Defender uses to recognize bad files. Researchers say the exploit does not smash memory or break the kernel; it chains together normal Windows features in the wrong order until Defender writes where it should not. (cyderes.com) One piece of that chain is a race condition, which is a timing bug where the system checks one thing and then acts a split second later after the situation has changed. Another piece is path confusion, where software is tricked about which file or folder it is really touching. (rhisac.org) Researchers say those mistakes can expose the Security Account Manager database, which is the Windows vault that stores local account password data. Once an attacker can dump those password hashes, they can use pass-the-hash techniques to impersonate more powerful accounts without knowing the plain-text password. (rhisac.org) This is why defenders treat “local” privilege escalation seriously even when it is not a worm. In a real intrusion, attackers often land first with weak permissions through phishing or a browser bug, then use a second tool like this one to take over the whole box. (helpnetsecurity.com) The unusual part of this case is how it surfaced. Reports say a researcher using the name Chaotic Eclipse released the proof of concept after a dispute with Microsoft’s vulnerability handling process, and independent researchers including Will Dormann were cited as confirming that the exploit works. (forbes.com) (cyderes.com) No Common Vulnerabilities and Exposures identifier had been assigned in the reports published this week, and Microsoft had not shipped a fix in the coverage available on April 9. That leaves defenders watching for odd Security Account Manager access, sudden jumps to SYSTEM, and abuse around Defender update activity while they wait for official guidance. (cyderes.com) (securityarsenal.com) So the practical read is narrow but urgent: BlueHammer does not hand strangers instant remote access, but it can turn a small breach into full machine control on affected Windows systems. When public exploit code exists before a patch, copycats usually move faster than enterprise patch cycles. (kudelskisecurity.com) (bleepingcomputer.com)