Microsoft fixed an elevation-of-privilege vulnerability in the Microsoft Defender antimalware platform in April 2026. Tracked as CVE-2026-33825 and named BlueHammer by researchers, the bug carries a CVSS score of 7.8 and lets a local, unprivileged user end up running code with SYSTEM-level rights, the highest on Windows.
What makes this one stand out is the timing. It went public with a working proof of concept before the official patch shipped. That makes it a zero-day in the strict sense: the exploit code was out in the open while defenders were still waiting on a fix.
What actually breaks
BlueHammer abuses a TOCTOU (time-of-check to time-of-use) race condition inside Defender’s remediation engine. When Defender detects a malicious file and starts cleanup, it performs privileged write operations without re-checking the destination path at the exact moment of the write.
The attack chains a few well-known Windows primitives. First, an attacker drops a file that triggers a Defender detection. When real-time protection begins remediation, the exploit uses a batch oplock (opportunistic lock) to freeze the operation at the critical point. With Defender paused, the attacker swaps the temporary directory for an NTFS junction point, a directory-level symbolic link that redirects the target path to C:\Windows\System32. When Defender resumes the rollback, it follows the redirected path and writes the file with SYSTEM privileges. From there, overwriting a system binary and gaining SYSTEM-level execution is straightforward.
No user interaction is required, and no prior privileges are needed. Running code on the machine as a normal user is enough.
Who is affected and how serious it is
The flaw reaches Windows 10 and Windows 11 with Defender enabled, which is the default on the overwhelming majority of machines. As a local privilege-escalation vector it won’t get an attacker onto a system in the first place, but it’s exactly the piece that turns an initial foothold into full control. That pattern, land with low privileges and then escalate, is the one that shows up most often in real intrusions.
Mitigation
Microsoft resolved the bug through an updated Defender antimalware platform release that ships automatically over Defender’s own update channel. In practice, most machines with Defender kept current already received the fix without any manual step.
It’s worth confirming that the antimalware platform is up to date (Get-MpComputerStatus in PowerShell shows the installed version) and that Defender automatic updates aren’t blocked by policy. CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog and set a patching deadline for US federal agencies, a sign that the risk is real rather than theoretical.