Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation

Windows administrators should quickly deploy Microsoft’s June 9, 2026 security updates to fix a newly disclosed zero‑day in the Windows Collaborative Translation Framework (CTFMON), tracked as CVE‑2026‑45586.

The flaw allows a local attacker with low privileges to escalate to SYSTEM, making it a valuable post‑exploitation primitive for threat actors.

Windows CTF 0-Day Vulnerability

CVE‑2026‑45586 is an elevation-of-privilege vulnerability in the Windows Collaborative Translation Framework, which is implemented by the CTFMON process used for text, voice, and handwriting input.

The underlying bug is classified as CWE‑59: Improper Link Resolution Before File Access, also known as unsafe “link following.”

Because of this weakness, CTFMON can be tricked into following attacker‑controlled links and accessing or executing files with elevated privileges.

Microsoft assigned the issue an “Important” severity rating and a CVSS v3.1 base score of 7.8, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

This indicates that the attack is local, low-complexity, requires only low privileges, and does not require user interaction, but can severely impact confidentiality, integrity, and availability.

Microsoft confirms that CVE‑2026‑45586 was publicly disclosed before a patch was available, so it is treated as a zero‑day.

At the time of release, there were no reports of in‑the‑wild exploitation, but Microsoft’s exploitability index rates it as “Exploitation More Likely.”

Several Patch Tuesday analyses call out this CTFMON bug as one of the key zero‑days in the June 2026 batch. If successfully exploited, the vulnerability allows an attacker to gain full SYSTEM privileges.

This makes it particularly useful for attackers who already have an initial foothold via phishing, malware, or stolen credentials and are looking to move from a standard user context to complete control of the endpoint.

CVE‑2026‑45586 affects a broad range of supported Windows client and server versions, including Windows 10, Windows 11, and Windows Server families.

Microsoft has released patches for Windows Server 2012 and 2012 R2, Windows Server 2016, 2019, 2022, and 2025, as well as Windows 10 Versions 1607, 1809, 21H2, 22H2, and Windows 11 Versions 23H2, 24H2, 25H2, and 26H1 on x64 and ARM64 where applicable.

Each platform is remediated via a specific KB, such as KB5094041/KB5094042 (Server 2012/2012 R2), KB5094122 (Windows 10 1607/Server 2016), KB5094123 (Windows 10 1809/Server 2019), KB5094128 (Server 2022), KB5094127 (Windows 10 21H2/22H2), KB5093998, KB5094126, KB5095051, and KB5094125 for Windows 11 and Windows Server 2025 variants.

Microsoft lists these as official fixes with confirmed report confidence.

The attack abuses unsafe link‑following in CTFMON’s file handling, allowing malicious links (such as symbolic links or junctions) in user‑writable paths to redirect privileged file operations toward attacker‑controlled locations.

Once chained correctly, this can lead to arbitrary code execution as SYSTEM from a low‑privilege context. Security vendors are already publishing signatures, rules, and guidance for this vulnerability as part of their June 2026 Patch Tuesday coverage.

Until patches are fully deployed, defenders should closely monitor CTFMON activity, abnormal process trees from low‑privilege users, and suspicious link creation in user‑writable directories, while prioritizing rapid patch rollout on high‑value servers and endpoints.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.