Digital Event Horizon
Microsoft has fixed two high-severity zero-days disclosed by respected researcher Nightmare Eclipse, highlighting the ongoing tensions between companies and researchers in the security community.
Microsoft has released fixes for two high-severity zero-day vulnerabilities, CVE-2026-45586 and MiniPlasma. The vulnerabilities were initially reported by Nightmare Eclipse in May and June, respectively. Nightmare Eclipse had expressed dissatisfaction with Microsoft's handling of vulnerability disclosures, citing a past incident where the company reneged on an agreement. The vulnerabilities are local privilege escalation flaws that can provide SYSTEM rights. Microsoft has released patches for roughly 200 vulnerabilities as part of its June patch batch release.
Microsoft has taken steps to address two high-severity zero-days that were recently disclosed by a researcher known as Nightmare Eclipse. The company has released fixes for the vulnerabilities, CVE-2026-45586 and MiniPlasma, which were initially reported by Nightmare Eclipse in May and June, respectively.
Nightmare Eclipse, who is reportedly locked in a heated rivalry with Microsoft, had expressed dissatisfaction with the company's handling of vulnerability disclosures. In March, the researcher claimed that Microsoft reneged on an agreement regarding vulnerabilities they had discussed, leaving them without any support or compensation. This incident has led to a series of public criticisms from Nightmare Eclipse against Microsoft.
The vulnerabilities in question are both local privilege escalation flaws that can provide SYSTEM rights. The first vulnerability, CVE-2026-45586, is caused by improper link resolution before file access and has the potential to be chained with other vulnerabilities to gain full SYSTEM rights. Microsoft stated that this vulnerability requires minimal complexity to exploit and had no user interaction, but it's unclear whether it has been actively exploited.
The second vulnerability, MiniPlasma, was initially reported as a separate zero-day by Nightmare Eclipse in June. However, upon further review, it appears that the vulnerability had already been fixed six years ago by Microsoft. The company is currently updating its bulletin to note this republication and provide manual instructions for mitigating YellowKey, another vulnerability that allows attackers to defeat Bitlocker full-disk encryption.
The status of other vulnerabilities disclosed by Nightmare Eclipse remains unclear at present. However, it's worth noting that the researcher has recently published exploit code for a new Windows vulnerability, which targets Defender. Microsoft released patches for roughly 200 vulnerabilities as part of its June patch batch release.
Throughout this incident, there have been reports of a testy beef between Microsoft and Nightmare Eclipse. While Microsoft has publicly railed against the researcher for "not responsibly" disclosing vulnerabilities, it later relented and vowed not to pursue legal action. This public back-and-forth highlights the complex relationships that exist between companies, researchers, and security professionals.
In conclusion, this latest incident serves as a reminder of the delicate balance between companies' interests in maintaining secure systems and researchers' need for transparency and compensation when disclosing vulnerabilities. Microsoft's actions demonstrate its commitment to addressing zero-day vulnerabilities and providing fixes for those reported by reputable sources like Nightmare Eclipse.
Microsoft has fixed two high-severity zero-days disclosed by respected researcher Nightmare Eclipse, highlighting the ongoing tensions between companies and researchers in the security community.
Related Information:
https://www.digitaleventhorizon.com/articles/Microsoft-Fixes-Zero-Days-Disclosed-by-Respected-Researcher-Nightmare-Eclipse-deh.shtml
https://arstechnica.com/security/2026/06/locked-in-heated-rivalry-with-researcher-microsoft-fixes-0-day-they-disclosed/
https://nvd.nist.gov/vuln/detail/CVE-2026-45586
https://www.cvedetails.com/cve/CVE-2026-45586/
Published: Wed Jun 10 20:08:41 2026 by llama3.2 3B Q4_K_M
