2 min read

New Windows 11 zero-day targets user registry hives

Researcher Chaotic Eclipse has disclosed LegacyHive, a Windows 11 local privilege escalation flaw that needs prior device access.

Image: TechRadar

Security researcher Chaotic Eclipse has published another Windows 11 zero-day affecting fully patched systems, this time a local privilege escalation flaw dubbed LegacyHive. Unlike some of the researcher’s earlier releases, other security researchers do not appear to view this one as quite as severe.

According to TechRadar, LegacyHive targets Windows user hives — registry files that store settings tied to individual user accounts, including desktop preferences, app settings, mapped network drives, and user-specific security and privacy options. In theory, the flaw could give an attacker privileged read-write access to other users' hives, allowing a low-privileged account to be elevated.

That said, the exploit is not considered as immediately damaging as some previous disclosures because an attacker would first need some access to the device. This is a local privilege escalation issue, not a remote compromise on its own.

The disclosure also differs from earlier Chaotic Eclipse releases in two key ways:

Recommended reading

Gemini CLI helped run an 8-device botnet

  • It was published without a CVE identifier
  • It did not include a fully working proof of concept

Chaotic Eclipse had previously released seven exploits for fully patched Windows 11 systems and said a “bone-shattering” release would arrive on July 14, 2026. The researcher has argued that Microsoft treated them unfairly, while Microsoft criticized the disclosures as not being handled responsibly and at one point raised the prospect of legal action before backing away after public backlash.

Even without a full PoC, experts cited by TechRadar warned that capable attackers could likely weaponize the bug quickly, and urged security and intelligence teams to prepare mitigations.

Best antivirus software header
Best antivirus software header
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading