Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.
Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.
Disclosure drama
“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”
As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586. Nightmare Eclipse disclosed the vulnerability and limited PoC code in May under the name GreenPlasma. The vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware.
Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely. The vulnerability, the company added, was the result of “improper link resolution before file access (‘link following’) in [the] Windows Collaborative Translation Framework.” There are no indications that the vulnerability has been actively exploited so far.
Tuesday’s patch bundle also fixed MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. That means MiniPlasma was the result of a regression or an incomplete patch in its initial form. The company is in the process of updating Tuesday’s bulletin to note the republication.
Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. That could be a boon when attackers have physical access to a device (the precise scenario Bitlocker is designed to protect against). The company has yet to fix the underlying cause of the vulnerability.
The status of other vulnerabilities disclosed by Nightmare Eclipse are also unclear at the moment. The researcher named one vulnerability, present in Windows Defender RedSun. Another, named BlueHammer, is also a local privilege escalation flaw that provides SYSTEM rights.
Over the past few months, Nightmare Eclipse has taken multiple potshots at Microsoft. The specific criticisms remain unclear, but many make references to complaints about the company’s vulnerability disclosure program. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a vailed reference to the possibility of pursuing legal action. After a public backlash, Microsoft later relented and vowed no such legal action would occur.
On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability. It’s a race condition that targets Defender.
Tuesday’s patch batch included fixes for roughly 200 vulnerabilities. Notwithstanding the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-days.
Post updated to include information Microsoft provided after initial publication of this post.
