Microsoft released a security update that closes a zero-day flaw highlighted by security researcher Nightmare Eclipse.
The patch arrived with the June 2026 Patch Tuesday rollup (KB5026365). It addresses a remote-code-execution vulnerability in the Windows kernel that was publicly disclosed on June 3, 2026. The fix applies to Windows 10 versions 20H2, 21H1 and 22H2, as well as Windows Server 2019 and 2022. Microsoft’s advisory cites CVE‑2026‑28437 as the identifier for the bug.
Closing the flaw matters because the vulnerability could be triggered over the network without user interaction, giving an attacker full system control. Enterprises that missed earlier updates now have a concrete remediation path, and the episode underscores the ongoing tension between vendors and independent researchers.
The patch lands just days after the researcher posted proof‑of‑concept code, reminding us that disclosure timing still drives the security calendar.