Nightmare Eclipse Windows zero-day drops: YellowKey (BitLocker) and GreenPlasma (CTFMON LPE), public PoC

key: item:nightmare-chaotic-eclipse-zero-day-wave-the-defender-lpe-now. The serialised Windows zero-day campaign the W24 weekly consolidated has a worsening status. As of 2026-06-21, CVE-2026-50656 (RoguePlanet) remains unpatched. The exploit abuses a Time-of-Check-to-Time-of-Use race in Microsoft Defender's file-processing workflow (CWE-59): Defender checks a file path under SYSTEM, then reopens it, and the exploit swaps the file in the gap to get SYSTEM-level execution (Help Net Security, 2026-06-17; MSRC; daily 06-19). The PoC is validated against fully-patched Windows 10 and 11 including the June 2026 Patch Tuesday build, Real-Time Protection status is irrelevant, and the researcher states small PoC changes defeat mitigations — "the only thing you can realistically do is wait for a patch." Microsoft confirms a fix is in development with no timeline. This is post-initial-access privilege escalation (local auth required), so it compounds rather than initiates a breach; until a patch ships, the realistic controls are application allowlisting to constrain post-exploitation and hunting for MsMpEng.exe spawning unexpected children or temp-directory symlink manipulation timed to scans. Outstanding question to watch: whether Microsoft ships an out-of-band fix or holds it to July Patch Tuesday.

UPDATE (originally covered in the 2026-W24 weekly summary): The serialised Windows zero-day campaign tracked as Nightmare/Chaotic Eclipse has a new, formally-identified entry: RoguePlanet, the local elevation-of-privilege flaw in the Microsoft Malware Protection Engine (mpengine.dll, used by Defender on all supported Windows 10/11), is now assigned CVE-2026-50656, acknowledged by Microsoft, and rated Exploitation More Likely on the MSRC Exploitability Index (Microsoft MSRC, 2026-06-16; Help Net Security, 2026-06-17).

The exploit abuses a TOCTOU race: during a scan Defender resolves a file path and later reopens it for analysis, and the PoC swaps in a malicious file in that window to obtain a SYSTEM shell. It requires only local low-privilege access, needs no user interaction, and the researcher states it functions regardless of whether real-time protection is enabled — though the race makes it non-deterministic ("hit or miss") (The Hacker News, 2026-06-17). As of 2026-06-18 Microsoft states a fix is in development with no timeline; the public PoC is the in-window delta.

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

The Windows zero-day cluster carried a material technical update beyond the 2026-05-30 daily. MiniPlasma — the sixth zero-day the "Chaotic Eclipse" researcher has dropped in six weeks — is a local privilege escalation in the Windows Cloud Filter driver (cldflt.sys) that reuses CVE-2020-17103, the researcher claiming the 2020 patch was incomplete or partially reverted. ThreatLocker independently confirmed MiniPlasma achieves SYSTEM on a fully-patched Windows 11 running the May 2026 cumulative update — i.e. there is no configuration that closes it today. Three earlier drops in the series (BlueHammer, RedSun, UnDefend) have been observed in real attacks. Microsoft's DCU has called the uncoordinated releases "never justifiable" but has shipped no out-of-band fix; June 10 Patch Tuesday is the first fix opportunity (see § 9). Until then, treat any cldflt.sys-adjacent LPE as live.