Overview
- Chaotic Eclipse published MiniPlasma on GitHub with source code and a compiled file that spawns a SYSTEM-level command shell on current Windows 11.
- BleepingComputer and Will Dormann verified elevation on machines with the May 2026 updates, though Dormann said it did not work on the latest Insider Preview Canary build.
- The exploit targets the Windows Cloud Files Mini Filter Driver (cldflt.sys) by abusing an undocumented CfAbortHydration call to create keys in the .DEFAULT registry hive and then escalate privileges.
- The researcher says the bug is the same issue Google Project Zero reported in 2020 as CVE-2020-17103 and claims Microsoft never fully fixed it or later rolled the fix back.
- Microsoft says it supports coordinated disclosure and is investigating, and the public PoC raises short-term risk for users because local code that runs on a PC can now more easily gain full control.