A researcher operating under the handle Chaotic Eclipse dropped a fully weaponized exploit on GitHub on May 13 that gives any local user a SYSTEM shell on a fully patched Windows 11 Pro box, including machines that pulled this month’s May 2026 cumulative update. Dubbed MiniPlasma, the bug lives in cldflt.sys — the Windows Cloud Files Mini Filter driver that powers OneDrive’s Files On-Demand and every other Cloud Sync Provider — and it is, according to the researcher, the exact same flaw Google Project Zero’s James Forshaw reported in September 2020 and that Microsoft told the world it had killed with CVE-2020-17103 in December of that year. It is, plainly, not dead.

What the bug actually does

The vulnerable path is in HsmOsBlockPlaceholderAccess, the routine the driver uses when an application reaches for a placeholder file whose backing data has not yet been hydrated. Inside that routine, the driver eventually calls into an undocumented kernel-only entrypoint, CfAbortHydration, which writes state into a registry key under the .DEFAULT user hive. Crucially, the access check that should gate creation of that key is performed in the caller’s security context, but the actual ZwCreateKey call is issued by the driver — which is running as SYSTEM and which is impersonating no one. The net result is that a standard user, by triggering the right hydration-abort sequence on a placeholder file they control, can cause cldflt.sys to create arbitrary registry keys under HKU\.DEFAULT on their behalf.

From there it is a short walk to SYSTEM. The .DEFAULT hive is loaded into the security context of every service that boots without a user profile — including a number of auto-start services that read configuration from subkeys an attacker can now plant. The PoC chains a planted key to coerce a privileged service into loading attacker-controlled code, yielding nt authority\system.

Why this is embarrassing

Forshaw reported the same primitive in late 2020. Microsoft issued CVE-2020-17103, the advisory said the issue was fixed, and the file was closed. Chaotic Eclipse’s writeup walks through the December 2020 patch and shows that the check was either never wired up correctly or was rolled back in a later refactor of the driver. The PoC works against cldflt.sys versions shipping with the May 2026 cumulative — five and a half years after the original report — and against every supported Windows 10 and Windows 11 SKU the researcher tested. It does not work against the current Windows 11 Insider Preview Canary build, which suggests Microsoft has the real fix in flight but has not backported it to anything that an enterprise actually runs.

Affected, mitigations, impact

Confirmed affected: Windows 10 22H2, Windows 11 22H2/23H2/24H2, and Windows Server 2019/2022/2025, all on the May 2026 patch level. There is no CVE assigned at time of publication and no patch from Microsoft. The exploit requires local code execution as any user — a low bar that fits cleanly behind a phishing payload, a malicious npm postinstall script, or a compromised RMM agent. For infrastructure teams, the obvious blast radius is anything that lets a low-privileged process land on a Windows host: Citrix and AVD session hosts, jump boxes, CI runners on Windows, Exchange and SharePoint front-ends, and any system where service accounts and human users share a tenant.

Short-term mitigations are unpleasant. The Cloud Filter driver cannot be safely disabled on hosts that depend on OneDrive or Azure Files sync, and removing cldflt.sys from the boot stack will break those features. The cleaner controls are upstream of the bug: tighten constrained-language-mode policy for non-admin users via WDAC, block unsigned binaries from launching out of user-writable paths with AppLocker, and watch for new value writes under HKEY_USERS\.DEFAULT\Software and \System from non-SYSTEM PIDs. Sysmon’s RegistryEvent (Event IDs 12/13/14) catches the primitive directly if you have a baseline for .DEFAULT writes — which, on a healthy system, should be essentially zero.

Watch for an out-of-band patch. Until then, treat MiniPlasma as live: PoC is public, the abuse pattern is mechanical, and the gap between “researcher disclosure” and “commodity LPE module in the next loader campaign” is measured in days.

References