Microsoft fixes two zero-days disclosed by feuding researcher
Original: Locked in heated rivalry with researcher, Microsoft fixes 0-day they disclosed
Why This Matters
Zero-day disclosures highlight tensions in vulnerability research relationships
Microsoft patched two high-severity zero-day vulnerabilities disclosed by researcher Nightmare Eclipse following a heated dispute. The fixes address CVE-2026-45586 (GreenPlasma) and MiniPlasma vulnerabilities that could enable privilege escalation attacks.
Microsoft released patches for two zero-day vulnerabilities disclosed by researcher Nightmare Eclipse amid an ongoing dispute. The researcher disclosed multiple high-severity flaws with proof-of-concept code after claiming Microsoft violated an agreement, leaving them "homeless with nothing." The June patch bundle fixes CVE-2026-45586 (GreenPlasma), a local privilege escalation vulnerability in Windows Collaborative Translation Framework requiring minimal complexity to exploit. Microsoft also patched MiniPlasma, tracked as CVE-2020-17103, which was initially fixed six years ago but appears to have regressed. Other disclosed vulnerabilities remain unpatched, including YellowKey (affects BitLocker encryption), RedSun (Windows Defender flaw), and BlueHammer (privilege escalation). Microsoft provided manual mitigation instructions for YellowKey but hasn't fixed the underlying cause.