Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Collaborative Translation Framework permits an authorized low-privileged user to gain elevated rights on affected Windows systems by abusing improper symbolic link resolution before file access. The flaw yields high confidentiality, integrity, and availability impact (CVSS 7.8) but requires existing local access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The Collaborative Translation Framework (CTF) is a long-standing Windows subsystem (ctfmon/msctf) that brokers text input, IME, and language services between processes and the active input session, often running with elevated privilege to serve interactive desktops. CWE-59 (Improper Link Resolution Before File Access, or 'link following') indicates that a CTF component operates on a file path without first canonicalizing or validating that the target is not a symbolic link, junction, or hard link. A local attacker who controls a path that the privileged process touches can redirect file operations - typically writes, deletes, or DACL changes - to a sensitive location, causing the high-privileged process to act on attacker-chosen targets.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45586 (patch available per vendor advisory; the specific KB and fixed build for each Windows SKU should be taken directly from that page). As a temporary compensating control until patching, restrict interactive and remote-desktop logon rights on multi-user hosts to trusted accounts so unprivileged local users cannot stage the symlink primitive, and consider enabling the Windows symbolic link evaluation restrictions (fsutil behavior set SymlinkEvaluation) so non-admin local-to-local symlinks are disabled - note this can break legitimate developer workflows and some installers that rely on link evaluation. Disabling or restricting the Text Services Framework (ctfmon) is not a safe workaround because it breaks IME and accessibility input and should not be used.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35548
GHSA-w47j-rgg9-c6p2