Skip to main content

Windows Collaborative Translation Framework EUVDEUVD-2026-35548

| CVE-2026-45586 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-09 secure@microsoft.com GHSA-w47j-rgg9-c6p2
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:16 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Collaborative Translation Framework permits an authorized low-privileged user to gain elevated rights on affected Windows systems by abusing improper symbolic link resolution before file access. The flaw yields high confidentiality, integrity, and availability impact (CVSS 7.8) but requires existing local access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The Collaborative Translation Framework (CTF) is a long-standing Windows subsystem (ctfmon/msctf) that brokers text input, IME, and language services between processes and the active input session, often running with elevated privilege to serve interactive desktops. CWE-59 (Improper Link Resolution Before File Access, or 'link following') indicates that a CTF component operates on a file path without first canonicalizing or validating that the target is not a symbolic link, junction, or hard link. A local attacker who controls a path that the privileged process touches can redirect file operations - typically writes, deletes, or DACL changes - to a sensitive location, causing the high-privileged process to act on attacker-chosen targets.

RemediationAI

Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45586 (patch available per vendor advisory; the specific KB and fixed build for each Windows SKU should be taken directly from that page). As a temporary compensating control until patching, restrict interactive and remote-desktop logon rights on multi-user hosts to trusted accounts so unprivileged local users cannot stage the symlink primitive, and consider enabling the Windows symbolic link evaluation restrictions (fsutil behavior set SymlinkEvaluation) so non-admin local-to-local symlinks are disabled - note this can break legitimate developer workflows and some installers that rely on link evaluation. Disabling or restricting the Text Services Framework (ctfmon) is not a safe workaround because it breaks IME and accessibility input and should not be used.

Share

EUVD-2026-35548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy