high Code Vulnerability zero-day
Windows 'BlueHammer' Zero-Day LPE — Exploit Code Public, No Patch
| Severity | high |
| Status | open |
| Date | April 3, 2026 |
| Affects | Windows (multiple versions, unpatched) |
| Source | www.bleepingcomputer.com |
Details
Researcher released fully functional LPE exploit after dispute with MSRC. Combines TOCTOU race condition with path confusion to access the Security Account Manager (SAM) database containing password hashes, enabling escalation to SYSTEM. Not 100% reliable but works well enough to be a credible threat. No CVE assigned. No official patch exists.