// Alert

Microsoft threat report

A researcher using the alias Chaotic Eclipse (Nightmare Eclipse) has published proof-of-concept exploit code on GitHub for a Windows local privilege escalation zero-day dubbed MiniPlasma, which grants SYSTEM-level access on fully patched Windows 11 systems including those with the May 2026 Patch Tuesday updates. The flaw resides in the cldflt.sys Cloud Filter driver and abuses the HsmOsBlockPlaceholderAccess routine and an undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT hive without proper access checks. The researcher states the issue is the same one reported to Microsoft by Google Project Zero in September 2020 as CVE-2020-17103 and supposedly fixed that December, claiming the original Google PoC still works unchanged. Independent verification by vulnerability analyst Will Dormann confirmed the exploit works on the latest public Windows 11 build, though it reportedly does not work on the Windows 11 Insider Preview Canary build. MiniPlasma follows a string of recent zero-day releases from the same researcher (BlueHammer, RedSun, YellowKey, GreenPlasma) and Microsoft has not yet issued a patch or advisory.

// Get alerts for Microsoft