The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a significant Microsoft Windows vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. This flaw, designated as CVE-2026-20805, carries a CVSS score of 8.7, indicating a high level of severity that warrants immediate attention from organizations relying on Microsoft products.
Details of the Vulnerability
This week, as part of Microsoft’s Patch Tuesday security updates for January 2026, a total of 112 Common Vulnerabilities and Exposures (CVEs) were addressed across various platforms, including Windows, Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. When incorporating third-party Chromium fixes, the overall count of vulnerabilities rises to 114.
Among these vulnerabilities, CVE-2026-20805 stands out due to its active exploitation in real-world attacks. This particular flaw relates to the Windows Desktop Window Manager, enabling attackers to leak small fragments of memory information. While it does not directly execute malicious code, the leaked data can assist attackers in circumventing security measures, potentially leading to more severe exploits.
The advisory succinctly states, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” It further elaborates that the type of information at risk includes section addresses from a remote ALPC port, which pertains to user-mode memory.
This incident underscores the critical nature of even minor information leaks, which can significantly contribute to the overall compromise of a system.
Microsoft has not disclosed specific details regarding the attacks that are leveraging this vulnerability. However, in accordance with Binding Operational Directive (BOD) 22-01, which aims to mitigate the significant risks posed by known exploited vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are mandated to address these identified vulnerabilities by the stipulated deadline to safeguard their networks against potential exploitation.
Experts are also advising private organizations to review the KEV catalog and take necessary actions to fortify their infrastructures against these vulnerabilities. CISA has set a deadline for federal agencies to rectify the vulnerabilities by February 3, 2026.
For ongoing updates and insights, follow Pierluigi Paganini on Twitter: @securityaffairs, as well as on Facebook and Mastodon.
