- microsoft
- windows
- cve
- privilege-escalation
- ctfmon
- lpe
- local
- zero-day
news
GreenPlasma: CTFMON Arbitrary Section LPE (CVE-2026-45586)
Nightmare-Eclipse PoC races Winlogon desktop switch to redirect CTF.AsmListCache section creation via Object Manager symlinks — stripped PoC, full SYSTEM chain left as CTF challenge.
Summary
GreenPlasma targets the Windows Collaborative Translation Framework (CTFMON) — the Text Services Framework component handling input method, handwriting, and language services. Published by Nightmare-Eclipse in May 2026, it exploits improper link resolution (CWE-59) during arbitrary section object creation in the Object Manager namespace. A standard user who wins a race against the Winlogon desktop switch can pre-place a symlink at \\Sessions\\{n}\\BaseNamedObjects\\CTF.AsmListCache.FMPWinlogon and redirect where CTFMON creates its section — enabling influence over SYSTEM-trusted object paths.
Microsoft assigned CVE-2026-45586 and patched during June 2026 Patch Tuesday (CVSS 7.8). The published PoC is intentionally incomplete: the researcher stripped the final execution path that would spawn a full SYSTEM shell, framing completion as a CTF challenge. Lab analysis (Blackfort Technology, HivePro) confirms the section-creation primitive; chaining to full elevation requires additional Object Manager and CloudFiles policy manipulation beyond the released code.
GreenPlasma builds on James Forshaw's 2019 Google Project Zero CTF research but uses a symlink-before-desktop-switch primitive rather than ALPC protocol abuse. OFFSITE.DARK indexes the public PoC and defensive analysis only.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-45586 |
| Component | Windows Collaborative Translation Framework (CTFMON) |
| Root cause | Link following during section creation at predictable Object Manager path |
| Privileges required | Standard local user |
| Key object | \Sessions\{id}\BaseNamedObjects\CTF.AsmListCache.FMPWinlogon |
| Primitives | NtCreateSymbolicLinkObject, Winlogon desktop-switch race, CloudFiles SetPolicyVal registry link abuse |
| PoC scope | Section creation demonstrated; full SYSTEM shell code withheld |
| Affected | Windows 11, Server 2022/2025 confirmed; Windows 10 uncertain |
| Patch | June 2026 Patch Tuesday cumulative updates |
Race mechanics
- Attacker ensures
ctfmon.exeis not already holding the target session object (symlink creation fails with name collision if race lost). - Before Winlogon completes a desktop switch, place symlink at
CTF.AsmListCache.FMPWinlogonpointing to attacker-chosen section target (default PoC target:\BaseNamedObjects\CTFMON_DEAD). - Winlogon desktop context creates the section; if symlink wins, creation redirects to attacker-controlled namespace.
- Combined with CloudFiles policy structure link abuse, a skilled attacker can influence SYSTEM-writable paths — the withheld portion converts this into full LPE.
Public PoC output shows successful arbitrary section creation (obj screenshot in README); Microsoft rated exploitation "more likely" at Patch Tuesday release.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-45586 |
| CVSS 3.1 | 7.8 High (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-59 (Link Following) |
| Published | 2026-06-09 |
| Exploit status | Public partial PoC; zero-day before Patch Tuesday |
Impact
- Post-compromise privilege escalation path on workstations where CTFMON is active (default on modern Windows).
- Incomplete public weaponization lowers immediate script-kiddie risk but documents the primitive for capable actors.
- Object Manager trust abuse — services and drivers that trust canonical CTF paths may be influenced by redirected sections.
- Cluster continuity — fifth distinct Windows component in the Nightmare-Eclipse series within ~10 weeks.
Mitigation
- Apply June 2026 Patch Tuesday updates immediately on workstations and servers.
- Restrict local admin and enforce least-privilege to reduce post-phishing escalation options.
- Monitor for
NtCreateSymbolicLinkObjectonCTF.AsmListCachepaths from non-system contexts. - Alert on anomalous SYSTEM shell spawn following
ctfmon.exeor Winlogon activity. - Track cluster releases — GreenPlasma patched same cycle as YellowKey and MiniPlasma; RoguePlanet followed hours later unpatched.
Sources
- Project Nightcrawler — NightmareEclipse/GreenPlasma (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/GreenPlasma (historical mirror)
- Microsoft MSRC — CVE-2026-45586
- Blackfort Technology — GreenPlasma analysis
- HivePro — June 2026 Patch Tuesday advisory
- James Forshaw — Google Project Zero CTF research (2019 context)
- OFFSITE.DARK — RoguePlanet cluster index