New Windows Zero-Day Exploit 'MiniPlasma' Grants Full System Access

How MiniPlasma Exploits Kernel Trust

A security researcher disclosed a Windows zero-day vulnerability named MiniPlasma, enabling attackers to gain full SYSTEM-level access. The proof-of-concept exploit targets fully updated Windows systems and was released publicly on May 17, 2026. No official patches are available yet.

The flaw allows local privilege escalation, meaning an attacker with basic user access can exploit it to take complete control of a system. Unlike remote exploits, MiniPlasma requires initial access to the machine, but once triggered, it bypasses core security layers. The exploit manipulates a weakness in the Windows kernel’s handling of specific memory operations within the Win32k.sys driver. This driver manages graphical functions but also has deep system privileges, making it a frequent target for escalation attacks. By carefully crafting system calls, the exploit forces improper memory access, leading to arbitrary code execution at the highest privilege level.

The vulnerability lies in how Win32k.sys validates input from user-mode processes. MiniPlasma sends malformed graphical rendering requests that the driver fails to properly check. When the system attempts to process these, it triggers an unhandled memory condition. The proof-of-concept code leverages this to overwrite critical memory structures, redirecting execution to attacker-controlled payloads. Because the driver operates in kernel mode, the payload runs as SYSTEM—giving full access to files, credentials, and system settings.

Could This Become a Widespread Threat?

The researcher demonstrated the exploit on Windows 11 23H2 and Windows Server 2022, both fully patched. Microsoft has acknowledged internal awareness but has not confirmed a patch timeline. The release of working code dramatically increases risk, as it can be easily adapted by malware developers.

While MiniPlasma requires initial access, it poses serious risks in environments where users have limited privileges but attackers gain entry through phishing or malware. Once inside, the exploit allows elevation to full system control, bypassing standard security monitoring. Enterprises with unpatched endpoints or delayed update cycles are especially vulnerable.

Microsoft typically addresses such flaws within monthly security updates, but emergency out-of-band patches are possible for critical issues. Until then, defenders are advised to restrict local user privileges and monitor for suspicious kernel-level activity.

Frequently Asked Questions

What systems are affected by MiniPlasma? The proof-of-concept works on recent Windows versions including Windows 10, 11, and Server editions using the Win32k.sys driver. All are at risk if unpatched.

Can MiniPlasma be exploited remotely? No. Attackers must already have user-level access to the machine. It cannot be triggered over a network or the internet directly.

Is there a fix available? Not yet. Microsoft is aware of the issue but has not released a patch. Users should limit local account privileges as a temporary safeguard.