Microsoft · GreenPlasma · YellowKey · Ars Technica
Locked in heated rivalry with researcher, Microsoft addresses 0-day they revealed
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.
Key facts
- As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586
- Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely
- Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago
- On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability
Summary
Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. “But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586. Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely.