CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A link-following (symlink/junction abuse) privilege escalation vulnerability exists in the Windows Collaborative Translation Framework (CTFMON) component, affecting Windows 10 and Windows 11 across multiple release versions. The vulnerability is reachable locally and requires only a low-privilege account, with no victim interaction needed; CVSS v3.1 scores this at 7.8 HIGH. Successful exploitation gives the attacker full read, write, and execution control at an elevated privilege level on the compromised host. Patched-image rebuilds at the fix versions listed above are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Windows-based container images that carry an affected CTFMON component version. Any image whose OS layer falls within the vulnerable version ranges for Windows 10 or Windows 11 is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each customer organization's compliance policy to determine urgency and escalation path. Triage results are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild at each of the documented fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and the corresponding Windows 11 builds) is available on HarborGuard for environments running an affected base image. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or system-level credentials to trigger the vulnerability.
- Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker can execute the exploit entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.
Blast Radius
- A successful attacker elevates from a low-privilege user account to a higher-privilege context, gaining the ability to read sensitive files and credentials that were previously inaccessible.
- The attacker can write to protected system paths or registry locations, enabling persistent backdoors or modification of security-critical configuration.
- The attacker gains the ability to execute code at elevated privilege, effectively taking full control of the affected Windows host.
- All three CIA dimensions are rated HIGH, so confidentiality, data integrity, and service availability of the host are each fully compromised.
How HarborGuard Handles This
Available on HarborGuard: detection against this CVE is active for all customer images the moment the advisory is ingested, covering Windows 10 and Windows 11 base layers across every affected version range. For environments running a vulnerable image, a rebuild at the appropriate patched OS version is available through the HarborGuard pipeline. For customers who opt into auto-remediation, the typical flow includes a patched-image rebuild, a regression-test run, and a pull request opened against affected workloads; for high-severity findings like this one, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, HarborGuard surfaces the finding with full CVSS context and affected-image inventory so teams can prioritize and act without additional triage overhead.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C