Microsoft fixes 120 flaws, zero‑days released

Microsoft’s monthly Windows patch drop was supposed to be the boring kind. Microsoft fixed 120 security flaws on May 12, 2026, and none were listed as exploited in the wild or publicly disclosed before release. But within hours, a researcher using the names Chaotic Eclipse and Nightmare-Eclipse published details for two separate unpatched Windows zero-days. So the story is not “Patch Tuesday was quiet.” It’s that a normal patch day collided with two new holes that defenders cannot patch yet. ### What did Microsoft actually ship? Microsoft’s May release covered 120 vulnerabilities across Windows, Office, Azure, Microsoft 365 apps, and developer tooling. Public writeups describe 16 or 17 of those as critical, depending on counting method, and roughly 29 to 31 as remote-code-execution bugs. The important part is simpler — there were a lot of fixes, but none were zero-days in the official release itself. ### So what changed after the patches landed? (msrc.microsoft.com) The researcher dropped two new bugs right after Patch Tuesday. The first, YellowKey, is described as a BitLocker bypass. The second, GreenPlasma, is a privilege-escalation flaw that can hand an attacker SYSTEM-level access. That timing matters because security teams had just finished prioritizing Microsoft’s official fixes when two extra emergencies appeared outside the normal queue. ### Why is YellowKey the scarier name? BitLocker is Windows’ built-in full-disk encryption. It is supposed to protect data when a laptop is lost or stolen. If YellowKey really weakens that protection in the ways early writeups suggest, then the risk shifts from “device stolen” to “device stolen and data exposed.” That is why security people are treating this one as more than a lab curiosity. (theregister.com) ### And what about GreenPlasma? Privilege escalation bugs are the second half of a lot of real attacks. An intruder gets a foothold as a normal user, then uses a local flaw to become admin or SYSTEM. GreenPlasma fits that pattern. On its own, it does not necessarily break in from the internet, but paired with phishing, malware, or another bug, it can turn a small compromise into full machine control. (theregister.com) ### Why does the researcher angle matter? This is not the first leak tied to the same person. Earlier reports connected Chaotic Eclipse to other Windows zero-day disclosures in April 2026, including BlueHammer. The broader pattern is a breakdown in coordinated disclosure — the process where a vendor gets time to validate and patch a bug before technical details go public. Once that breaks, defenders lose time and attackers gain instructions. (theregister.com) ### What should companies do right now? Patch the 120 Microsoft flaws first — that still removes a huge amount of known risk. But don’t stop there. Treat stolen-device protections, admin separation, and endpoint monitoring as the urgent layer for YellowKey and GreenPlasma. If a laptop goes missing, assume BitLocker alone may not be the whole answer. If a user account looks compromised, assume local escalation may be possible. (theregister.com) ### Why does this hit developers too? Because modern Windows fleets are full of build agents, remote management tools, cached credentials, and signing workflows. A privilege-escalation bug on a developer workstation or CI box is not just “one PC got popped.” It can become source-code access, token theft, or a poisoned software pipeline. That is why staged rollouts and tamper-resistant logs matter here — you need to know what changed, where, and whether the machine telling you “I’m healthy” can still be trusted. (msrc.microsoft.com) This is an inference from the kinds of access SYSTEM-level compromise usually enables. ### Bottom line? Microsoft’s patch release was the manageable part. The harder problem arrived right after — two fresh zero-days, one aimed at encryption trust and one at local control. Basically, Patch Tuesday closed a lot of doors, but defenders still have to watch the windows. (theregister.com)