Advisories 14 May 2026 / 0 Comments

GreenPlasma – Windows CTFMON Arbitrary Section Creation Zero-Day LPE

Scope: Windows 11, Windows Server 2022, 2025, and 2026

Severity: High

A researcher known as Chaotic Eclipse (Nightmare-Eclipse) who previously disclosed the Windows Defender zero-days BlueHammer and RedSun, both of which were exploited in the wild shortly after public release has published a partial proof-of-concept for GreenPlasma, an unpatched privilege escalation flaw in the Windows Collaborative Translation Framework (CTFMON). The vulnerability allows any unprivileged user to create arbitrary memory section objects inside SYSTEM-writable directory objects, which can be abused to manipulate trusted services and kernel-mode drivers into executing attacker-controlled code, potentially leading to full SYSTEM shell access. Microsoft has not yet issued a patch; organizations should monitor MSRC for updates, disable CTFMON via AppLocker where not required, and deploy Sysmon event IDs 10 and 15 to monitor for suspicious section creation activity.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

GreenPlasma – Windows CTFMON Arbitrary Section Creation Zero-Day LPE

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

GreenPlasma – Windows CTFMON Arbitrary Section Creation Zero-Day LPE

RELATED ADVISORIES

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

Recent Advisories

Categories