Microsoft patches zero-days amid dispute with researcher Nightmare Eclipse
The software giant has issued fixes for two vulnerabilities disclosed by the researcher, who accuses the company of breaking a prior agreement.
Microsoft has released security patches for two high-severity zero-day vulnerabilities in its June vulnerability update, following disclosures by the researcher known as Nightmare Eclipse. The fixes address CVE-2026-45586, a local privilege escalation flaw in the Windows Collaborative Translation Framework, and MiniPlasma (CVE-2020-17103), a regression of a vulnerability originally fixed six years ago. These actions occur amidst a public dispute; the researcher has accused Microsoft of breaking a prior agreement, while Microsoft has criticised the researcher’s disclosure methods.
The patch for CVE-2026-45586 resolves a flaw that allows low-privilege users to gain full SYSTEM rights via improper link resolution. Microsoft stated the vulnerability required minimal complexity to exploit and carried no user interaction requirements, though there are currently no indications of active exploitation in the wild. The researcher, also using the pseudonym GreenPlasma, disclosed this vulnerability in May along with limited proof-of-concept code.
Tuesday’s patch bundle also addressed MiniPlasma, which Microsoft confirmed was a regression or an incomplete patch of a fix originally issued in 2020. The company is updating its bulletin to note the republication of this six-year-old identifier. The June update cycle included fixes for roughly 200 vulnerabilities in total, with two confirmed as zero-days at the time of release.
Microsoft has not yet released patches for other vulnerabilities disclosed by the researcher, including those named RedSun and BlueHammer. However, the company provided manual mitigation instructions for YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. This flaw is particularly significant as Bitlocker is specifically designed to protect against physical device access, yet Microsoft has not yet fixed the underlying cause of the encryption defeat.
The conflict between the parties escalated in March when Nightmare Eclipse accused Microsoft of reneging on an arrangement, stating the company had left them "homeless with nothing." Microsoft publicly criticised the researcher for not disclosing vulnerabilities responsibly and had previously made veiled references to pursuing legal action, though it later relented following public backlash. On Tuesday, the researcher published exploit code for a new Windows race condition targeting Windows Defender, further intensifying the rivalry.
