Microsoft patches zero‑day flaw disclosed by researcher Nightmare Eclipse

Microsoft released a security update on June 9, 2026 that patches a zero‑day vulnerability disclosed by independent researcher Nightmare Eclipse. The update, delivered through the standard Windows Update channel, closes the flaw that allowed attackers to gain unauthorized access to affected systems. Ars Technica notes that a second zero‑day appears to have been addressed in the same release, though Microsoft has not disclosed technical details or CVE identifiers.

What shipped

The patch is available for all supported Windows editions. It replaces the vulnerable component with a hardened version, effectively blocking the exploit path described by the researcher. Microsoft’s advisory lists the fix as critical, urging administrators to apply it immediately.

Why it matters

• The vulnerability targeted core Windows functionality, meaning any unpatched machine was exposed to remote code execution. Applying the patch removes that attack surface.
• The public disclosure underscores the growing tension between Microsoft and security researchers who favor full disclosure. Nightmare Eclipse’s decision to publish details forced Microsoft to accelerate its response.
• The incident highlights the importance of timely security updates in enterprise environments, where delayed patching can leave thousands of devices vulnerable.

The rivalry between Microsoft and Nightmare Eclipse is documented in a series of back‑and‑forth statements, with the researcher accusing the company of “delaying” fixes and Microsoft defending its process. This latest patch demonstrates that pressure from independent researchers can drive faster remediation, a dynamic that may shape future vulnerability‑handling policies. [ars-technica]