CVE-2026-45586 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability

An elevation of privilege vulnerability in Windows Collaborative Translation Framework, also known as CTFMON, could allow a local authenticated attacker to gain SYSTEM privileges. The issue is caused by improper link resolution before file access, also known as link following. Successful exploitation could let an attacker move from limited local access to complete control of the affected system.

CVSS Score: 7.8
SEVERITY: Important
THREAT:
This vulnerability threatens full system compromise. An attacker with low privileges on an affected system could elevate access to SYSTEM, allowing control over sensitive files, system settings, services, and security tools.

EXPLOITS:
Microsoft reports publicly disclosed: Yes and exploited: No. Exploit Code Maturity is listed as Unproven, meaning confirmed working exploit code is not identified in the provided data. Microsoft rates exploitation as more likely.

TECHNICAL SUMMARY:
The vulnerability is categorized as CWE-59: Improper Link Resolution Before File Access. The flaw occurs when Windows Collaborative Translation Framework improperly handles link resolution before accessing files. A local attacker with low privileges could abuse this behavior to redirect file operations and elevate privileges. Successful exploitation could grant SYSTEM-level permissions, giving the attacker high confidentiality, integrity, and availability impact on the affected device.

EXPLOITABILITY:
Affected software includes Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Exploitation requires local access and low privileges, but no user interaction.

BUSINESS IMPACT:
This vulnerability is dangerous because attackers often use privilege escalation after gaining an initial foothold. SYSTEM access can allow malware installation, defense evasion, credential theft, data modification, and deeper movement across the environment. For businesses, this can increase the impact of phishing, stolen credentials, or compromised standard user accounts.

WORKAROUND:
Microsoft lists no mitigations and no workarounds. Applying the official security update is the recommended action.

URGENCY:
This patch should be prioritized because exploitation is rated more likely and successful exploitation can grant SYSTEM privileges. Even though active exploitation is not reported, this type of bug can turn a minor local compromise into full endpoint control.