Microsoft, in conjunction with the U.S. government, has issued a warning regarding a recently disclosed vulnerability in Windows that is currently under active exploitation. This flaw, designated as CVE-2026-20805, was identified by Microsoft’s threat intelligence team and allows an authorized attacker to leak a memory address from a remote ALPC port. According to Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, this address could potentially be leveraged in subsequent stages of an exploit chain, likely leading to arbitrary code execution.
With a medium severity rating of 5.5 on the CVSS scale, the urgency of addressing this vulnerability is underscored by the rapid response from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Following the release of a patch by Microsoft, CISA promptly added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, mandating that federal agencies implement the fix by February 3. The agency cautioned that such vulnerabilities are frequently targeted by malicious cyber actors, posing significant risks to federal operations.
While the specifics regarding the identity of those exploiting this vulnerability remain unclear, Microsoft has not provided additional insights, prompting experts to recommend prioritizing the patch. Kev Breen, Senior Director of Cyber Threat Research at Immersive, emphasized the importance of addressing vulnerabilities of this nature, which can compromise Address Space Layout Randomization (ASLR)—a critical security measure against memory-manipulation exploits. Breen noted that by exposing memory addresses, this flaw can be combined with other code execution vulnerabilities, transforming complex exploits into more practical attacks. He criticized Microsoft for not disclosing which other components might be involved in such exploit chains, which he argues hinders proactive threat-hunting efforts for network defenders.
Two publicly known bugs
CVE-2026-20805 marks Microsoft’s first zero-day vulnerability of 2026, coinciding with the first Patch Tuesday of the year, which unveiled a substantial patch dump comprising 112 Microsoft CVEs. Among these, two additional vulnerabilities were publicly acknowledged at the time of release.
- CVE-2026-21265: This vulnerability pertains to a secure boot certificate expiration security feature bypass, carrying a CVSS rating of 6.4. It is classified as publicly known due to a certificate expiration notice published by Microsoft in June 2025. As some certificates issued in 2011 approach expiration, device operators must update them to maintain Secure Boot protections and security updates. Childs remarked that while exploitation is unlikely, this issue could present significant challenges for administrators.
- CVE-2023-31096: This elevation of privilege flaw, rated at 7.8, affects third-party Agere Modem drivers included with supported Windows versions. Although this is a non-Microsoft CVE, it was first documented in 2023 and issued by MITRE. During the previous patch cycle in October, Microsoft indicated that this vulnerability had been made public but not yet exploited, and the drivers have since been removed in the January update.
Childs also highlighted two additional noteworthy vulnerabilities: CVE-2026-20952 (CVSS 7.7) and CVE-2026-20953 (CVSS 7.4). Both are classified as use-after-free flaws in Office that could allow unauthorized code execution. Childs remarked, “Another month with Preview Pane exploit vectors in an Office bug. While we are still unaware of any exploitation of these bugs, they keep adding up. It’s only a matter of time until threat actors find a way to use these types of bugs in their exploits.”
