Microsoft fixes 0-day disclosed by rival researcher amid heated feud

Microsoft has rolled out patches for two high-severity zero-day vulnerabilities this month, both disclosed by a researcher engaged in a bitter public dispute with the company.

The researcher, operating under the alias Nightmare Eclipse, has released several critical security flaws in recent months, each accompanied by proof-of-concept (PoC) exploit code. These disclosures turned the bugs into zero-days, meaning they could be actively weaponized by attackers before official fixes were available. The researcher claims Microsoft broke a prior agreement regarding how these vulnerabilities were supposed to be handled.

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

One of the vulnerabilities addressed in Microsoft’s June Patch Tuesday update is CVE-2026-45586, which Nightmare Eclipse originally disclosed in May under the name GreenPlasma. This flaw is a local privilege escalation (LPE) vulnerability, meaning an attacker could chain it with another exploit to bypass operating system protections and gain full SYSTEM-level privileges , enough to install malware or take complete control of a device.

Microsoft assessed that CVE-2026-45586 requires minimal complexity to exploit, demands no user interaction, and that the likelihood of active exploitation is high. The company attributed the vulnerability to “improper link resolution before file access (‘link following’) in the Windows Collaborative Translation Framework.” So far, there is no evidence the flaw has been exploited in the wild.