Microsoft Fixes High-Severity Zero-Day Vulnerabilities Following Researcher Dispute

Microsoft released security updates on June 10, 2026, to patch two high-severity zero-day vulnerabilities. These flaws were disclosed by a researcher using the pseudonym Nightmare Eclipse, who released proof-of-concept code after alleging that Microsoft violated a prior agreement regarding the vulnerabilities, according to Ars Technica.

The patches address vulnerabilities that were previously unknown to Microsoft, creating a window of risk where the software was exposed without a defense. The researcher, Nightmare Eclipse, released several high-severity flaws in recent months, transforming them into zero-days that could be exploited in the wild, according to Ars Technica.

The public disclosure included proof-of-concept code. This type of code provides a functional demonstration of how to exploit a vulnerability, which typically lowers the technical barrier for other attackers to target the same flaws, according to Ars Technica.

Why did Nightmare Eclipse disclose the vulnerabilities?

The researcher claims the public disclosures were a result of a failed agreement with Microsoft. According to Ars Technica, Nightmare Eclipse stated that the company reneged on an arrangement the two had made regarding the vulnerabilities they had discussed.

This dispute led the researcher to bypass the standard coordinated disclosure process, where a researcher keeps a flaw secret until a vendor releases a patch. In March 2026, the researcher described the fallout of the broken agreement.

But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.

Nightmare Eclipse

What is the technical risk of these zero-days?

A zero-day vulnerability is a software flaw that is known to attackers but not to the vendor, leaving the company with zero days to fix the problem before it is exploited. When these flaws are rated as high-severity, it typically means they could allow for significant unauthorized access or system disruption, according to Ars Technica.

The risk increased when Nightmare Eclipse published the proof-of-concept code. While a vulnerability report tells a company a hole exists, proof-of-concept code provides the map and tools to walk through that hole. This often forces vendors to accelerate their patching timelines to prevent widespread exploitation.

How does this differ from standard security reporting?

Most security researchers follow a “responsible disclosure” or “coordinated disclosure” model. In these frameworks, the researcher reports the bug privately and agrees to a non-disclosure period, often 90 days, to allow the vendor to develop and deploy a fix. In exchange, the vendor often provides a bug bounty payment.

The situation with Nightmare Eclipse represents a breakdown of this trust-based system. The researcher’s claim that they were “left with nothing” suggests a dispute over compensation or the terms of the bug bounty agreement. By releasing the flaws publicly before a patch was ready, the researcher shifted the leverage from the vendor to the public, though it increased the immediate risk to all Microsoft users.

Microsoft’s release of fixes on June 10, 2026, closes these specific gaps, but the incident highlights the ongoing tension between independent security researchers and the corporate entities that manage the software they analyze.