🟢 CVE-2026-20805

CVE-2026-20805 is a local information disclosure vulnerability in the Windows Desktop Window Manager (DWM) that requires local access and authentication. Despite being in CISA KEV, this is not directly internet exploitable as it affects client-side Windows desktop components.

← Back to Overview
LOW_RISK
Risk Level
5.5
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-01-13

Added to CISA KEV: 2026-01-13 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-20805 is an information disclosure vulnerability affecting the Desktop Window Manager (DWM) in Microsoft Windows [2]?id=CVE-2026-20805?kagi_q=CVE-2026-20805. It was disclosed and patched on January 13, 2026 [3] [5].

Active Exploitation and Threat Actor Usage
  • Status: The vulnerability has been confirmed as exploited in the wild [3] [5].
  • CISA KEV: Due to evidence of active exploitation, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on January 13, 2026 [3].
  • Usage: While specific threat actor attribution is not widely detailed in public reports, the flaw is noted as a frequent vector for malicious actors to facilitate further privilege escalation chains in real-world attacks [1].
Attack Method and Requirements
  • Exploitation Type: Local. The vulnerability requires the attacker to be locally authenticated on the system [2] [6].
  • Method: Attackers exploit the way DWM handles memory, specifically by exposing sensitive user-mode memory (such as section addresses) via remote ALPC (Advanced Local Procedure Call) ports [1].
  • User Interaction: Not explicitly required for the exploitation itself, provided the attacker has already gained the necessary local authentication.
Impact
  • Access/Impact: Successful exploitation allows an authorized, low-privilege local attacker to disclose sensitive information [2] [6]. This information disclosure is primarily used as a stepping stone to aid in more complex privilege escalation attacks [1].
Patch and Mitigation Status
  • Patch Status: Microsoft released security updates to address this vulnerability on January 13, 2026 [5].
  • Mitigation: Users are advised to install the latest Microsoft security updates via the Microsoft Security Update Guide or Windows Update [4]. A system reboot is required after patching to ensure the DWM component is correctly reinitialized with the updated binary [4].

Sources

  1. Microsoft Desktop Window Manager 0-Day Vulnerability Exploited in the wild

    Tracked as CVE-2026-20805, the vulnerability allows low-privilege local attackers to expose sensitive user-mode memory, specifically section addresses, via remote ALPC ports. This could aid further privilege escalation chains in real-world attacks, prompting urgent patch deployment across legacy Win…

  2. CVE-2026-20805 Detail - NVD

    Description. Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally ... Information Technology Laboratory National Vulnerability Database Vulnerabilities…

  3. CISA Adds One Known Exploited Vulnerability to Catalog | CISA

    CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability. This type of vulnerability is a frequent attack vector for malicious ... CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-20805…

  4. CVE-2026-20805 - Vulnerability Details - OpenCVE

    Install the latest Microsoft security update that addresses CVE-2026-20805 from the Microsoft Security Update Guide or Windows Update. Reboot the system after updating to ensure the Desktop Window Manager component is reinitialized with the patched binary.

  5. Critical Patches Issued for Microsoft Products, January 13, 2026

    Microsoft has reported that CVE-2026-20805 has been exploited in the wild. SYSTEMS AFFECTED: Azure Connected Machine Agent; Azure Core shared ...

  6. CVE-2026-20805: Microsoft Fixes Actively Exploited Windows ...

    According to Microsoft, the vulnerability enables a locally authenticated attacker to extract protected data by abusing the way Desktop Window ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed