What is a zero-day vulnerability?
Last reviewed June 2, 2026
A zero-day is a vulnerability that is unknown to the vendor or has no available patch, often discovered because attackers are already exploiting it. The name reflects that defenders have had zero days to prepare a fix. Once a patch ships and is widely available, the flaw is no longer a zero-day, though unpatched systems remain at risk.
What zero-day means
Zero-day refers to a vulnerability that the people responsible for fixing it have not yet had a chance to address, because they either do not know about it or have not released a patch. The term comes from the idea that the vendor has had zero days of warning before the flaw is being abused.
People use the phrase in three closely related ways: a zero-day vulnerability (the unpatched flaw itself), a zero-day exploit (code that attacks it), and a zero-day attack (an incident using that exploit). All three share the defining trait that no fix was available when exploitation became possible.
Why zero-days are so dangerous
Because there is no patch, normal defenses focused on keeping software up to date offer no protection. Attackers who hold a zero-day can often bypass otherwise well-maintained systems, which makes these flaws highly valuable on both legitimate bug-bounty and illicit markets.
- No patch exists, so updating cannot close the hole.
- Signature-based detection may miss a previously unseen technique.
- Defenders are reacting to attacks rather than preventing them.
- They are often used in targeted, high-value intrusions.
From zero-day to patched
A flaw stops being a zero-day once the vendor learns of it and ships a fix. The window between active exploitation and a widely deployed patch is the most dangerous period. After a patch is released, the same flaw becomes a known, or n-day, vulnerability, but unpatched systems stay exposed until administrators apply the update.
Vulnerabilities confirmed to be exploited, including former zero-days, are commonly listed in the CISA Known Exploited Vulnerabilities catalog so organizations can prioritize them.
Defending against zero-days
You cannot patch a flaw nobody knows about, but you can reduce exposure. Limiting the attack surface, segmenting networks, applying least privilege, and using behavior-based detection all help contain a zero-day attack even when the specific exploit is unknown. Rapid patching once a fix appears closes the remaining window.
Keep exploring
- What is an exploit?The code that attacks a zero-day flaw.
- What is a vulnerability?The weakness behind a zero-day.
- What is the CISA KEV?Where confirmed exploited flaws are catalogued.
- What is responsible disclosure?How researchers report flaws before going public.
- What is the attack surface?Reducing exposure limits zero-day impact.
- Zero-day vs N-dayWhether a patch exists at the time of exploitation.
Frequently asked questions
- Why is it called a zero-day?
- The name reflects that the vendor has had zero days to develop and release a fix before the vulnerability is exploited or disclosed. There is no patch available when the threat emerges.
- What is the difference between a zero-day and an n-day?
- A zero-day has no available patch. An n-day is a known vulnerability that has been patched for some number of days, but where unpatched systems are still at risk.
- Can antivirus stop a zero-day?
- Traditional signature-based antivirus often cannot, because the technique is new. Behavior-based detection, exploit mitigations, and reducing the attack surface are more effective at limiting zero-day impact.
- How long does a vulnerability stay a zero-day?
- It remains a zero-day until the vendor becomes aware and releases a fix. That can be days or, in rare cases, years if the flaw stays secret among attackers.
