Patch Tuesday Archives

Winsage

May 18, 2026

Windows boot partition runs out of space for Microsoft’s May security update

Microsoft has acknowledged a potential issue with its May 2026 security update, which may fail to install properly due to insufficient space in the EFI System Partition (ESP). If the available space in the ESP drops below 10 MB, users may encounter a 0x800f0922 error code, leading to installation failures during the reboot phase. This issue affects Windows 11 versions 25H2 and 24H2. Microsoft has proposed two solutions: a registry edit or a Known Issue Rollback (KIR), which has already propagated to consumer and non-managed business devices. The update addresses several critical Microsoft CVEs, although there have been no reports of active exploitation.

Winsage

May 18, 2026

Old Windows Flaw Returns to Spotlight With MiniPlasma Exploit

Security researcher Chaotic Eclipse has introduced a Windows exploit called MiniPlasma, which may allow privilege escalation from standard user accounts to SYSTEM level access, even on patched versions of Windows. This exploit is linked to CVE-2020-17103, a flaw in the Windows Cloud Filter driver that was addressed by Microsoft in December 2020. Tests have reportedly demonstrated the exploit functioning on a patched Windows 11 Pro system, achieving SYSTEM access from a standard user account. The exploit involves an undocumented registry-key path within the .DEFAULT user hive, raising concerns about the effectiveness of the 2020 fix. There is a discrepancy between public and Canary builds of Windows 11, with the exploit working on the public build but not on the Canary build. Microsoft’s April 2026 Patch Tuesday updates included another entry related to the Windows Cloud Files Mini Filter Driver elevation-of-privilege issue. Defenders are advised to monitor the CVE-2020-17103 record for further clarification regarding the status of the original fix and the implications of the MiniPlasma exploit.

Winsage

May 17, 2026

New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released

A cybersecurity researcher, known as Chaotic Eclipse, has released a proof-of-concept exploit for a Windows privilege escalation zero-day vulnerability called "MiniPlasma," which allows attackers to gain SYSTEM privileges on fully patched Windows systems. The vulnerability affects the cldflt.sys Cloud Filter driver and was reported by Google Project Zero in September 2020, assigned the identifier CVE-2020-17103, and claimed to be resolved by Microsoft in December 2020. However, Chaotic Eclipse asserts that the vulnerability remains unpatched. Testing confirmed that the exploit works on Windows 11 Pro, enabling command prompt access with SYSTEM privileges from a standard user account. Will Dormann, a vulnerability analyst, verified the exploit's effectiveness but noted it did not work in the latest Windows 11 Insider Preview Canary build. The exploit leverages the undocumented CfAbortHydration API to manage registry key creation improperly. Chaotic Eclipse has previously disclosed other Windows zero-day vulnerabilities and claims their actions are a protest against Microsoft's handling of vulnerabilities.

Winsage

May 15, 2026

Windows 11’s May update is causing install failures and slow internet — here’s what we know

Microsoft's Patch Tuesday update for Windows 11, KB5089549, released on May 13, 2026, has caused installation issues for some users, who receive an error message indicating a rollback. Additionally, a smaller group has reported decreased internet performance after the update. Users facing installation failures may see the system revert to the previous version automatically and can attempt to reinstall the update or troubleshoot by clearing the SoftwareDistribution cache or using the Windows Update troubleshooter.

Winsage

May 15, 2026

For May, Patch Tuesday means 139 updates

Microsoft has released an extensive update for Azure Linux 3.0 and CBL Mariner 2.0, addressing 191 open-source Common Vulnerabilities and Exposures (CVEs) across various technologies, including the Linux kernel, Go runtime, Apache httpd, PHP, CoreDNS, Valkey, Ruby, GnuTLS, Apache Thrift, Node.js, Rust, Java implementations, Vim, Postfix, Expat, Nmap, Prometheus, KEDA, and PgBouncer. Additionally, Microsoft has fixed a critical vulnerability (CVE-2026-41103) in its Single Sign-On (SSO) Plugin for Jira and Confluence, which allows an attacker to forge a Microsoft Entra ID identity through a manipulated SAML response; however, patching this vulnerability is the responsibility of the users of Atlassian's platforms.

Winsage

May 15, 2026

Windows 11’s May Optional Update Lands on the Release Preview Channel

The May optional update for Windows 11 introduces several features, including shared audio for Bluetooth LE accessories, simultaneous camera access for multiple applications, and NPU usage visibility in Task Manager. The update also improves the Magnifier accessibility feature and aims to enhance app launch speeds and core shell experiences. Additionally, Microsoft has released a first build of version 26H1 on the Release Preview Channel, which is intended for devices powered by Qualcomm Snapdragon® X2 Series chips. Devices running version 26H1 will not be eligible for the next annual feature update scheduled for late 2026.

Winsage

May 15, 2026

Windows DNS Client Security Flaw Exposes Systems to Remote Code Execution

Windows systems are threatened by a vulnerability in the Windows DNS Client, identified as CVE-2026-41096, which allows remote code execution without user intervention. It has a CVSS base score of 9.8, indicating high severity. The flaw is a heap-based buffer overflow in the dnsapi.dll component, enabling unauthenticated remote attackers to execute arbitrary code. Exploitation requires sending a specially crafted DNS response to a vulnerable system, potentially leading to complete control over the host. Affected systems include supported versions of Windows 11 and Windows Server 2022/2025. Microsoft released security updates on May 12, 2026, and administrators are advised to apply these patches and reboot systems. Despite the severity, Microsoft currently classifies exploitation as “Exploitation Unlikely,” with no known public exploits or in-the-wild attacks.

Winsage

May 14, 2026

Microsoft pits more than 100 AI agents against each other to find Windows vulnerabilities

Microsoft has introduced MDASH (Multi-Model Agentic Scanning Harness), a security solution that uses over 100 specialized AI agents to identify software vulnerabilities. On May 12, 2026, MDASH identified 16 new vulnerabilities (CVEs) in the Windows networking and authentication stack, four of which were critical, including remote code execution vulnerabilities in tcpip.sys, ikeext.dll, netlogon.dll, and dnsapi.dll. Ten of these vulnerabilities can be accessed over the network without authentication. MDASH operates through a four-stage pipeline: analyzing source code, scrutinizing for suspicious elements, debating the exploitability of issues, and attempting to exploit vulnerabilities. The system is model-agnostic and allows integration of new models and domain-specific knowledge. MDASH scored 88.45 percent on the CyberGym benchmark, ranking first among competitors, although the comparison may not be entirely fair as it contrasts a comprehensive framework with individual models. The models used to achieve this score are not specified. MDASH is supported by Microsoft's Autonomous Code Security Team and is currently in a limited private preview for select customers.

Winsage

May 14, 2026

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

An anonymous cybersecurity researcher disclosed two new zero-day vulnerabilities affecting Microsoft systems: YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that operates as a backdoor within the Windows Recovery Environment, impacting Windows 11 and Windows Server 2022/2025. Exploiting YellowKey involves copying specially crafted files to a USB drive, connecting it to a Windows computer, and rebooting into WinRE. The researcher expressed skepticism about Microsoft's response time to this vulnerability, noting that using TPM+PIN does not mitigate the risk. GreenPlasma is a privilege escalation vulnerability that allows an unprivileged user to obtain a shell with SYSTEM permissions through arbitrary section creation in Windows CTFMON. The proof-of-concept for this exploit is incomplete but indicates potential manipulation of trusted privileged services or drivers. Additionally, a related attack against BitLocker was detailed by French cybersecurity firm Intrinsec, which exploits a boot manager downgrade using CVE-2025-48804 to bypass encryption protections on fully patched Windows 11 systems. This method allows attackers to boot from a controlled WIM while the boot manager checks the legitimate one, executing with the decrypted BitLocker volume. Despite Microsoft releasing fixes for this defect in July 2025, a flaw in Secure Boot verification allows a vulnerable boot manager to bypass BitLocker safeguards. To mitigate these risks, enabling a BitLocker PIN at startup and migrating to a new boot manager certificate is recommended.

Winsage

May 14, 2026

Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News

Microsoft has developed an AI security system called MDASH that has identified 16 vulnerabilities in Windows networking and authentication frameworks, with four classified as Critical, allowing for remote code execution. MDASH uses over 100 specialized AI agents to analyze code from multiple perspectives, improving the accuracy of vulnerability detection. The system has successfully detected all 21 planted vulnerabilities in a private testing environment without false positives, achieving a 96 percent recall rate against historical cases and an 88.45 percent success rate on the CyberGym benchmark. The identified vulnerabilities include issues in tcpip.sys and IKEEXT, which can be exploited remotely without needing credentials.