‘Patched’ Windows bug resurfaces 6 years later as working SYSTEM-level exploit

A Windows elevation of privilege vulnerability (CVE-2020-17103) in the Cloud Filter driver 'cldflt.sys', originally patched by Microsoft in December 2020, has resurfaced as a working SYSTEM-level exploit. Researcher Nightmare-Eclipse discovered the original Google Project Zero proof-of-concept still works unchanged on fully patched Windows systems, allowing standard users to escalate to SYSTEM privileges via a race condition. The flaw involves arbitrary registry key creation in the .DEFAULT user hive without proper access checks. Security researcher Will Dormann confirmed the bug persists through May 2026 updates, though it appears fixed in the latest Windows 11 Canary Insider build. This is part of a broader disclosure spree by Nightmare-Eclipse that includes BlueHammer, RedSun, UnDefend, YellowKey, and GreenPlasma — several of which have been observed in real-world intrusions.