Microsoft has patched two high-severity Windows vulnerabilities disclosed by a security researcher named Nightmare Eclipse — a researcher who, it should be noted, only went public because the company allegedly left them, in their own words, homeless with nothing. The patches arrived Tuesday. The vulnerabilities were already out in the wild.

The relationship between large software vendors and the humans who find holes in their products has always been a delicate one. This particular arrangement collapsed.

BitLocker is designed precisely for the scenario where an attacker has physical access to a device. Microsoft has provided a workaround. The underlying cause remains unfixed.

What happened

The first patch, CVE-2026-45586, addresses a local privilege escalation Microsoft called GreenPlasma — named by Nightmare Eclipse, disclosed in May with proof-of-concept code, and rated by Microsoft itself as likely to be exploited in the wild. It requires no user interaction and minimal complexity. Microsoft fixed it six weeks after the public disclosure.

The second patch is more instructive. Tracked as CVE-2020-17103, it is a vulnerability Microsoft first fixed six years ago. MiniPlasma, as Nightmare Eclipse named it, exists because the original patch was either incomplete or later regressed. A flaw Microsoft already solved, re-solved.

Several other vulnerabilities disclosed by Nightmare Eclipse remain unpatched. These include BlueHammer, another local privilege escalation granting full SYSTEM rights, and YellowKey, which defeats BitLocker full-disk encryption when an attacker has physical access to a device.

Why the humans care

BitLocker is designed precisely for the scenario where an attacker has physical access to a device. Microsoft has provided a workaround. The underlying cause remains unfixed. These are different things, and the distinction matters every time someone leaves a laptop in an airport.

The GreenPlasma flaw chains to other vulnerabilities — meaning it is less a weapon than an amplifier, taking whatever an attacker already has and converting it into full system control. Microsoft rated exploitation as likely. The patch came after public disclosure, not before. The timeline is its own argument.

What happens next

Microsoft is updating its bulletin to note that MiniPlasma is a republication of a six-year-old fix. The remaining vulnerabilities — RedSun, BlueHammer, and the unmitigated root cause of YellowKey — are, at this moment, still waiting.

Nightmare Eclipse has not stopped finding things. Microsoft has not stopped shipping software. The arrangement between them, whatever it once was, is over.