Windows CTFMON Arbitrary Section Object EoP — GreenPlasma (CVE-2026-45586)
by Nightmare-Eclipse (ASkyeye re-host) · 2026-06-28
- Severity
- High
- CVE
- CVE-2026-45586
- Category
- binary
- Affected product
- Windows Collaborative Translation Framework (CTFMON service)
- Affected versions
- Windows 11, Windows Server 2022, Windows Server 2026; Windows 10 status unclear
- Disclosed
- 2026-06-28
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-28 |
| Last Updated | 2026-05-12 |
| Author / Researcher | Nightmare-Eclipse (ASkyeye re-host) |
| CVE / Advisory | CVE-2026-45586 |
| Category | binary |
| Severity | High |
| CVSS Score | 7.8 (CVSSv3) |
| Status | PoC |
| Tags | LPE, EoP, Windows, CTFMON, section-object, object-directory, link-following, zero-day, CTF-challenge, Windows-11, Windows-2022, Windows-2026, incomplete-poc |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Windows Collaborative Translation Framework (CTFMON service) |
| Versions Affected | Windows 11, Windows Server 2022, Windows Server 2026; Windows 10 status unclear |
| Language / Platform | C++ (Windows x64) |
| Authentication Required | No (standard local user) |
| Network Access Required | No (local only) |
Summary
CVE-2026-45586 (GreenPlasma) is a Windows CTFMON Elevation of Privilege vulnerability exploiting an arbitrary named section object creation primitive. A standard unprivileged user can create a section object in any directory object writable by SYSTEM, abusing CTFMON’s trust in certain object directory paths to manipulate services or kernel-mode drivers that blindly consume data from those paths. The vulnerability was disclosed publicly as a zero-day by researcher “Nightmare Eclipse” before the June 2026 Patch Tuesday patch. The included PoC (GreenPlasma.cpp) has the SYSTEM shell finalization step intentionally stripped by the researcher as a CTF challenge; the core primitive (arbitrary section creation) is complete.
Vulnerability Details
Root Cause
The CTFMON service (Windows Collaborative Translation Framework) resolves and trusts certain named object paths without validating that those paths are only writable by privileged users. A standard user can create a malicious section object in a SYSTEM-writable object directory, influencing the data read by CTFMON or by other services and kernel-mode drivers that inherit the same trust assumptions. The link-following behavior (CWE-59) allows this object substitution to reach a privileged execution context.
Attack Vector
- As a standard user, identify a named object directory writable by SYSTEM that CTFMON or a trusted service references.
- Create a malicious section object in that directory using the primitive in
GreenPlasma.cpp. - The targeted service or driver reads from the attacker-controlled section.
- Trigger service execution path → EoP to SYSTEM (finalization step stripped from this PoC).
Impact
Elevation of privilege from standard local user to SYSTEM. Patched in June 2026 Patch Tuesday. Researcher confirmed: works on Windows 11 / Server 2022 / Server 2026; Windows 10 status not confirmed.
Environment / Lab Setup
OS: Windows 11 or Windows Server 2022/2026
Compiler: MSVC (Visual Studio) or MinGW
Build: cl.exe /O2 GreenPlasma.cpp
g++ -O2 -o GreenPlasma.exe GreenPlasma.cpp
Proof of Concept
PoC Code
See
GreenPlasma.cppin this folder. Incomplete — SYSTEM shell finalization step removed by researcher. The arbitrary section creation primitive is functional.
From the researcher: “I stripped off the necessary code for a full SYSTEM shell. This is a huge challenge for CTF lovers out there.”
Expected Output (partial PoC)
Section object is created in the target SYSTEM-writable object directory; no SYSTEM shell spawned without the missing step.
Detection & Indicators of Compromise
| |
YARA (on-disk):
rule GreenPlasma_LPE {
strings:
$s1 = "GreenPlasma" wide ascii
$s2 = "NtCreateSection" ascii
$s3 = "ctfmon" wide ascii nocase
condition:
2 of them
}
Remediation
| Action | Detail |
|---|---|
| Patch | Apply June 2026 Microsoft Patch Tuesday cumulative update |
| Verify | Confirm CTF/CTFMON component is updated; check Windows Update history |
| MSRC | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45586 |
References
- CVE-2026-45586
- MSRC CVE-2026-45586
- Source repository (ASkyeye/GreenPlasma)
- BleepingComputer: Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days
- MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation)
Notes
Auto-ingested from https://github.com/ASkyeye/GreenPlasma on 2026-06-28. Original code by Nightmare-Eclipse; re-hosted by ASkyeye after Nightmare-Eclipse’s account was removed from GitHub. Disclosed as a publicly known zero-day before the June 2026 Patch Tuesday patch. The SYSTEM shell finalization step is intentionally absent — the core section-object primitive is present and functional. Completing the exploit requires reversing the stripped logic (positioned by the researcher as a CTF challenge for skilled practitioners).
| |