Microsoft’s latest Windows security update fixes two zero-days, but the bigger story is the awkward one: the patches land in the middle of a public fight with the researcher behind the disclosures, Nightmare Eclipse. The company says it addressed about 200 vulnerabilities in total, while several other issues he published remain open, partially mitigated, or still waiting on fuller guidance.
That mix is familiar in the Windows world. Patch Tuesday is supposed to be tidy; instead, it often becomes a sorting exercise in what is fixed, what is only contained, and what may resurface later because the original patch did not really hold.
CVE-2026-45586 gives attackers SYSTEM access
The most serious of the two newly fixed bugs is CVE-2026-45586, a local privilege escalation flaw that could let an attacker with low privileges reach SYSTEM level and install malware. Microsoft says the issue requires no user interaction and is low complexity, which is the sort of combination defenders dislike because it tends to move quickly from theory to abuse.
The flaw sits in Windows Collaborative Translation Framework and involves improper link following before file access. Microsoft has not seen evidence of active exploitation yet, but that is a comfort in the same way a fire alarm is comforting: useful, yes, but only because the smoke has not spread.
MiniPlasma points to a Windows patch that did not stick
The second fix, nicknamed MiniPlasma, is even more embarrassing in a different way. It is tied to CVE-2020-17103, a vulnerability Microsoft says it addressed about six years ago, which suggests either a regression or an incomplete repair that quietly came back for another turn.
That kind of repeat appearance is a bad look for any platform vendor, especially one that sells Windows on trust as much as on features. It also gives security teams one more reason to treat older patches as starting points, not guarantees.
Other Nightmare Eclipse disclosures are still hanging around
The update does not close the book on the researcher’s wider set of findings. YellowKey, which can bypass BitLocker protections, still lacks a full fix and currently comes with manual mitigation steps instead. Microsoft also has not fully closed other potentially serious bugs, including BlueHammer, another local privilege escalation issue, and RedSun, which affects Windows Defender.
Nightmare Eclipse has also published exploit code for a separate race-condition flaw in Defender, which raises the pressure on Microsoft to move faster on the rest of the backlog. The public dispute between the two sides only makes that harder: the researcher says disclosure agreements were broken, while Microsoft has accused him of violating disclosure rules and at one point signaled possible legal action before backing off.
What Microsoft security teams face next
What happens next depends on whether Microsoft can turn the remaining disclosures into clean bulletins before the arguments generate more noise than the bugs themselves. If more of these issues turn out to be regressions or incomplete fixes, the company will have a trust problem on top of a technical one, and that is a much uglier patch cycle.