Microsoft patches zero-day flaws amid researcher dispute

Microsoft has released security updates to address two critical zero-day vulnerabilities that were publicly disclosed by a researcher known as Nightmare Eclipse. The researcher claims these disclosures were a response to Microsoft allegedly reneging on a prior agreement regarding vulnerability discussions. One patched flaw, CVE-2026-45586, is a local privilege escalation vulnerability in Windows, while the other, CVE-2020-17103, appears to be a regression from a previously fixed issue. Microsoft has also provided mitigation steps for another vulnerability, YellowKey, affecting Bitlocker encryption, though a full fix is pending. The ongoing dispute highlights tensions between security researchers and software vendors over disclosure practices.