Microsoft patched a high-severity elevation-of-privilege vulnerability (CVE-2026-45586) in the Windows Collaborative Translation Framework (CTF/CTFMON) on June 9, 2026, as part of its largest-ever Patch Tuesday release covering 206 vulnerabilities.
Rated “Important” with a CVSS score of 7.8, the flaw allows an attacker with low-level access to escalate privileges to SYSTEM, the highest level of control on a Windows machine, without any user interaction.
CVE-2026-45586 is a locally exploitable elevation-of-privilege (EoP) vulnerability rooted in CWE-59: Improper Link Resolution Before File Access (“Link Following”).
This class of weakness occurs when a program resolves symbolic links or junction points before accessing a target file, without verifying that the resolved path still points to the originally intended resource.
An attacker can place a malicious symlink at the expected location, redirecting file operations to a sensitive system resource and effectively hijacking a privileged process’s file I/O.
The vulnerability resides in the Windows Collaborative Translation Framework, a long-standing Windows subsystem responsible for managing text input services, Input Method Editors (IMEs), and language-related accessibility features across all applications.
The CTFMON process (ctfmon.exe) runs persistently in user sessions and acts as a broker between input clients and the CTF server. Because virtually every GUI application on Windows loads the CTF client library, a flaw in this subsystem has a sweeping attack surface.
According to Microsoft’s advisory, the vulnerability stems from how the CTF framework handles file access operations without first properly validating the resolved link target. When CTFMON performs a file operation such as reading or writing configuration or state data it follows a symbolic link or directory junction without confirming that the resolved path hasn’t been tampered with by an unprivileged user.
An attacker who already holds a local, low-privileged account (or has compromised a standard user process) can:
- Create a symbolic link or junction pointing a CTF-related file path to a sensitive system file or directory.
- Trigger the CTF framework’s file access operation, causing it to operate on the attacker-controlled target path.
- Leverage the resulting write or read primitive to overwrite privileged files, inject payloads, or read protected data, ultimately achieving SYSTEM-level privilege escalation.
The CVSS 3.1 base score is 7.8 (High), with environmental adjustments bringing the temporal score to 6.8. The attack vector is Local, requires Low Privileges, has Low Attack Complexity, and demands no User Interaction a dangerous combination for any attacker who has already established an initial foothold on a target system.
Microsoft’s exploitability assessment labels this vulnerability as “Exploitation More Likely” and, notably, it was publicly disclosed before the patch release, meaning the technical details were available to threat actors before many organizations applied the fix.
Affected Windows Versions
The vulnerability impacts a remarkably wide range of Windows products, spanning legacy and modern versions:
| Platform | Affected Versions | KB Article |
|---|---|---|
| Windows 10 | 1607, 1809, 21H2, 22H2 | KB5094122, KB5094123, KB5094127 |
| Windows 11 | 23H2, 24H2, 25H2, 26H1 | KB5093998, KB5094126, KB5095051 |
| Windows Server | 2012, 2012 R2, 2016, 2019, 2022, 2025 | KB5094041–KB5094128 |
The breadth of affected systems underscores the systemic nature of the CTF subsystem; it is present across essentially every supported (and some unsupported) Windows release still in deployment.
This is not the first time CTFMON has been in the security spotlight. In 2019, Google Project Zero researcher Tavis Ormandy publicly disclosed a set of critical design flaws in the CTF protocol, demonstrating that the architecture allowed low-privileged or sandboxed processes to communicate with privileged CTF sessions.
Those findings revealed that an attacker could send commands to administrator console sessions, escape IL/AppContainer sandboxes, and take control of UAC consent dialogs, all through the CTF message-passing interface.
Microsoft addressed one ALPC-related EoP issue (CVE-2019-1162) at the time, but the broader attack surface remained a concern for security researchers.
CVE-2026-45586 demonstrates that link-following vulnerabilities in this subsystem remain an active risk vector seven years later, particularly as the CTF framework continues to evolve alongside new input and accessibility features in Windows 11 and Windows Server 2025.
Mitigation
Microsoft has released official security patches for all affected platforms as part of the June 9, 2026 Patch Tuesday update cycle. Organizations should prioritize the following actions:
- Apply the relevant KB updates immediately, especially for internet-facing servers and privileged workstations (KB5094125 for Server 2025, KB5094126 for Windows 11 24H2/25H2, KB5094127 for Windows 10 21H2/22H2).
- Check Point Security Gateway customers can activate IPS protection CPAI-2026-6034 to detect exploitation attempts at the network perimeter.
- Monitor for local privilege escalation indicators: unexpected SYSTEM-level process spawning from user-context parents, suspicious symlink creation in temp directories, or CTF-related process anomalies.
- Audit accounts with local access and apply least-privilege principles since this vulnerability requires only a low-privileged local account to exploit.
- For legacy systems such as Windows Server 2012/2012 R2, apply the Monthly Rollup KB5094041/KB5094042 immediately, as these platforms may lack modern endpoint protections to compensate for this.
Since exploit code has not yet been publicly released and no in-the-wild exploitation has been confirmed, patching during this window is critical before weaponized exploits emerge.
FAQ
What is CVE-2026-45586? It is a Windows CTFMON elevation-of-privilege vulnerability that exploits improper symbolic link resolution, allowing a low-privileged attacker to gain SYSTEM-level access locally.
Does CVE-2026-45586 require user interaction to exploit? No, the attack requires only a low-privileged local account and no user interaction, making it particularly dangerous in multi-user or server environments.
Which Windows versions are affected by CVE-2026-45586? The vulnerability impacts Windows 10 (versions 1607 through 22H2), Windows 11 (versions 23H2 through 26H1), and Windows Server 2012 through 2025.
How can organizations fix CVE-2026-45586? Apply the official Microsoft security update released on June 9, 2026, via the relevant KB article for your platform, available through Windows Update or the Microsoft Update Catalog.
About the Author
