Full story
Patch Tuesday, then PoC
Microsoft’s July 2026 Patch Tuesday release patched 570 vulnerabilities across Windows and related products, including two zero-day flaws already being exploited in the wild and 61 rated critical, according to The Tech Buzz.
The Hacker News reported that security researcher Chaotic Eclipse (aka Nightmare-Eclipse) released a new proof-of-concept exploit called LegacyHive hours after that Patch Tuesday, describing it as a "Windows User Profile Service arbitrary hive load elevation of privileges vulnerability."

Ars Technica said the exploit code enables low-privilege Windows accounts to make sensitive changes to administrator accounts, and it described the HiveLegacy proof-of-concept as "pretty powerful primitive" elevation-of-privilege targeting the Windows User Profile Service.
The Hacker News added that LegacyHive is functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update, and it said the researcher and Microsoft have been locked in a heated dispute since at least April 2026.
Dispute, Defender, and KEV
The Hacker News said Chaotic Eclipse and Microsoft have been locked in a heated dispute since at least April 2026, with the researcher releasing details of multiple exploits before Microsoft could patch them, citing a breakdown in communication.
It also reported that three vulnerabilities in Microsoft Defender came under active exploitation shortly after public disclosure, and it quoted Microsoft saying, "We have contacted the company for comment regarding LegacyHive, and we will update the story if we hear back."

Ars Technica said the pseudonymous NightmareEclypse has published nine such exploits, including Tuesday’s HiveLegacy, and it described the exploit as modifying an administrator account’s classes registry hive.
The Hacker News further said CISA added both SharePoint Server flaws flagged as actively exploited—CVE-2026-56164 and CVE-2026-56155—to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply fixes by July 17 and July 28, 2026, respectively.
Disk-filling risk after RoguePlanet
GIGAZINE reported that a new Microsoft Defender update could allow hackers to completely exhaust the disk space on Windows 11 PCs, describing a vulnerability discovered in Microsoft Defender that could cause excessive device storage consumption.
“Right on the heels of Microsoft releasing a record number of security patches, a researcher has published exploit code that can enable low-privilege Windows accounts to make sensitive changes to administrator accounts”
It said the issue is related to RoguePlanet, and it quoted that Microsoft fixed RoguePlanet by updating to version 1.1.26060.3008, while Nightmare Eclipse said another problem arose after the fix.
GIGAZINE explained that Microsoft Defender’s limit on file scans and quarantines does not apply to cached alternate data streams (ADS) called Zone.Identifiers, making it technically possible to write extremely large caches to disk to Microsoft Defender.
The article added that Nightmare Eclipse’s proof-of-concept showed the behavior was reproducible on Windows 11 25H2 and Windows Server 2025, and it noted Microsoft had not publicly commented on the disk space exhaustion issue in its advisory regarding RoguePlanet (CVE-2026-50656).




