A new Windows zero-day vulnerability named LegacyHive has been released by the researcher known as Nightmare Eclipse, also referred to as Chaotic Eclipse. This previously unknown exploit, which was disclosed on the July 2026 Patch Tuesday, affects the Windows User Profile Service by allowing attackers to escalate privileges and load user hives, including those of administrators. The exploit requires the credentials of a standard user and a third username, potentially an administrator's account, to mount the target user hive into the current user's classes root. Although the proof-of-concept provided by the researcher is stripped down to prevent immediate exploitation in the wild, it highlights a serious security concern that currently remains unpatched. Nightmare Eclipse has a history of revealing zero-days in Microsoft products, including several that have been exploited in the past. Despite the severity of the situation, Microsoft has not yet acknowledged the issue. This leaves systems running Microsoft's July 2026 patches vulnerable to potential attacks until an official fix is provided.
LegacyHive Zero-Day Exploit Puts Windows User Profiles at Risk
Researcher published LegacyHive Windows zero-day PoC impacting User Profile Service, enabling arbitrary hive load privilege escalation.


