Microsoft Patches High-Severity Zero-Days Amid Public Feud With ‘Nightmare Eclipse’
Table of Contents
A Volatile Cycle of Disclosure
Microsoft has released patches for two high-severity zero-day vulnerabilities this week, bringing a temporary reprieve to a public and increasingly personal conflict between the software giant and an independent researcher known as Nightmare Eclipse. The updates arrive after months of friction, characterized by leaked proof-of-concept (PoC) code and mutual accusations of bad faith.
The tension stems from a breakdown in the traditional vulnerability disclosure process. Nightmare Eclipse claims that Microsoft reneged on a private agreement regarding the reporting and rewarding of flaws, leading the researcher to release several high-severity vulnerabilities into the wild. In a poignant March post, the researcher alleged that the company’s actions left them “homeless with nothing,” framing the public disclosures as a forced response to being “stabbed in the back.”
Breaking Down GreenPlasma and MiniPlasma
The most pressing fix in Tuesday’s update addresses CVE-2026-45586, a vulnerability dubbed “GreenPlasma” by the researcher. Technically, this is a local privilege escalation (LPE) flaw residing within the Windows Collaborative Translation Framework. Specifically, the issue stems from improper link resolution before file access—a classic “link following” error—that allows an attacker to bypass OS protections.
According to Microsoft’s own documentation, GreenPlasma requires minimal complexity to exploit and necessitates no user interaction. When chained with another vulnerability, it could allow a low-privileged user or process to seize full SYSTEM rights, effectively granting an attacker total control over the machine for the purpose of installing malware or exfiltrating data. While Microsoft notes that active exploitation in the wild has not yet been detected, they acknowledged that the likelihood of such attacks was high given the vulnerability’s nature.
The second fix targets “MiniPlasma” (tracked as CVE-2020-17103). In a revealing detail, Microsoft confirmed that this specific flaw was originally patched six years ago. Its reappearance suggests a regression—a common but frustrating occurrence in massive codebases where a previous fix is accidentally overwritten or neutralized by a newer update. This implies that for several years, a known hole in Windows security had quietly reopened.
The Remaining Gaps: BitLocker and RedSun
Despite the Tuesday patches, the standoff between Microsoft and Nightmare Eclipse is far from over. Several other disclosed vulnerabilities remain unpatched, leaving a window open for potential attackers. Among the most concerning is “YellowKey,” a flaw that allows attackers to bypass BitLocker full-disk encryption. While Microsoft has provided manual mitigation instructions, they have yet to release a permanent code-level fix for the underlying cause.
YellowKey is particularly dangerous in scenarios where an attacker has physical access to a device, which is the exact threat model BitLocker is designed to thwart. Furthermore, the status of other reported flaws—including “RedSun” in Windows Defender and another LPE flaw dubbed “BlueHammer”—remains ambiguous.
Corporate Diplomacy vs. Researcher Ethics
The fallout from this dispute highlights the fragility of the Bug Bounty ecosystem. Microsoft initially responded to the disclosures by accusing Nightmare Eclipse of “irresponsible” reporting, even hinting at potential legal action. However, after a wave of backlash from the security community, the company walked back those threats.
The cycle of retaliation continues; almost immediately following the release of the patches, Nightmare Eclipse published exploit code for a new race condition targeting Windows Defender. This “tit-for-tat” dynamic underscores a growing trend where the boundary between professional security research and “grey hat” activism becomes blurred when corporate disclosure programs fail to meet the expectations of the researchers they rely on.
