LegacyHive drops Windows profsvc zero-day PoC after Patch Tuesday
Nightmare Eclipse published LegacyHive on GitHub the same day as Microsoft's July 2026 Patch Tuesday. It's an unpatched profsvc LPE that still works on fully-updated Windows.
The researcher known as Nightmare Eclipse (also Chaotic Eclipse, GitHub handle MSNightmare) published LegacyHive on July 14, 2026 — the same day as Microsoft's July Patch Tuesday. The repository ships a proof-of-concept for an unpatched Windows User Profile Service (profsvc) arbitrary-hive-load privilege-escalation flaw. No CVE has been assigned, and Microsoft has not yet issued an advisory. Primary source: github.com/MSNightmare/LegacyHive.
What the bug does
profsvc — the Windows service that mounts each user's registry hive when a profile loads — can be steered by a low-privileged local account into mounting another user's hive into the current session's HKEY_CURRENT_USER\Classes root. The attacker doesn't get direct read/write on the target hive on disk; they get the OS itself to remap where their own HKCR view comes from. That's the primitive.
Will Dormann described it as a "pretty powerful primitive" on X because HKCR participates in COM class registration and ShellExecute lookups. A non-admin who can influence an administrator's HKCR view can plant a class handler that the administrator's next elevated shell action will execute. From LPE-to-SYSTEM, the exploitation shape is well-worn.
Affected versions
The GitHub README states the PoC "works on all currently supported desktop and server Windows installations carrying the July 2026 patch." That includes Windows 10, Windows 11, Windows Server 2019, 2022, and 2025 with the July 8 cumulative update applied. There is no fixed build — Microsoft's July release did not address this flaw.
Exploitation status
No in-the-wild exploitation reported at time of writing. The public disclosure is the PoC itself and its GitHub description; no Microsoft advisory, no CISA KEV entry, no vendor telemetry naming an actor.
The published PoC is deliberately stripped:
- It requires an additional standard user's credential and a third username (which can be an administrator account) supplied on the command line.
- It is limited to the
usrclass.dathive.
Per the repo README, the original — unpublished — version required neither the extra credential nor was limited to usrclass.dat. Nightmare Eclipse's stated goal is to demonstrate the flaw without handing out an unauthenticated, one-shot LPE.
Kevin Beaumont, quoted by cybersecuritynews.com, said the stripped PoC as published works and isn't patched. Will Dormann called the primitive "pretty powerful" — a non-admin gaining the ability to modify an administrator user's classes registry hive.
Action checklist
There is no patch. Interim mitigation is coverage over prevention.
- Treat LegacyHive as a live LPE against any Windows fleet where an attacker already has a foothold. Ransomware operators routinely chain a low-priv RCE or a phished credential into SYSTEM via whichever LPE is currently unpatched; assume this one is on the shortlist within the week.
- Restrict standard-user credential recovery paths. The published PoC needs a second local or domain account's password. Anything that reduces credential availability to non-admin users — LAPS on local accounts, aggressive credential-guard policy, KRBTGT hygiene, prompt cleanup of stale service accounts — narrows the attack surface until Microsoft ships a fix.
- Alert on unexpected
usrclass.datmounts from non-admin sessions. Sysmon Event ID 12/13 (registry object create / value set) intoHKCU\Software\Classesfrom a session token that doesn't own the loaded profile is the observable signature of the public PoC. Detection-engineering shops should draft this rule now rather than after Microsoft assigns a CVE. - Watch for a rewritten PoC. The GitHub repo has 221 stars and 60 forks as of publication. The gap between "stripped PoC exists" and "weaponised loader exists" is typically days, not weeks, when the original author has already shown that a fuller version works.
- Do not remove the July 2026 updates in the belief that a rollback removes the risk — the vulnerability predates July and Microsoft's patch simply did not touch it. Rolling back reopens the SharePoint zero-day (CVE-2026-56164) and the AD FS zero-day (CVE-2026-56155) that shipped this Patch Tuesday.
Context
Nightmare Eclipse has been in an escalating public dispute with Microsoft since April 2026 over what the researcher characterises as a communication breakdown on prior submissions. LegacyHive is the latest of several Windows LPE PoCs the same handle has dropped without coordinated disclosure. Microsoft's public position on the researcher's earlier drops has been the standard "we recommend customers apply the latest updates"; that line is unhelpful this month because the latest update is what the PoC works on.
The broader pattern — a researcher timing a full-fat PoC drop to the same day as Patch Tuesday, specifically to embarrass the vendor's monthly cadence — has been more common in 2026 than in prior years. It mirrors the Chrome V8 CVE-2026-11645 fifth zero-day pattern and the Cursor DuneSlide sandbox escapes where the exploit chain was public before defenders had a signature.
What other outlets missed
Coverage at The Hacker News, The Register and SecurityWeek framed LegacyHive around the "stripped PoC" and the researcher-Microsoft feud. All correct, and all missed the operationally-relevant point: the PoC is not just "a demonstration" — it targets a service that runs on every Windows host, the primitive is a HKCR redirect (a class of bug Microsoft has patched at least three times in the last decade), and the mitigation posture is credential hygiene, not a KB number. Defenders don't get a Tuesday to plan around this one.