CVE-2026-20805 is a Windows Desktop Window Manager (DWM) information disclosure vulnerability that has been exploited in the wild as a zero-day.
While the CVSS v3.1 base score is 5.5 (AV:L/AC:L/PR:L/UI:N/C:H), the operational risk is higher than the score suggests because the flaw can leak sensitive memory-related data that attackers commonly use to bypass exploit mitigations and chain with other vulnerabilities for full compromise.
What It Is
Microsoft describes CVE-2026-20805 as an exposure of sensitive information in Desktop Window Manager that allows an authenticated/authorized attacker to disclose information locally.
Independent analysis of the Patch Tuesday release explains that exploitation can result in improper disclosure of an ALPC port “section address” (a user-mode memory section address used by Windows components for coordination), which can weaken defenses such as address randomization and make follow-on exploitation more reliable.
Key characteristics:
- Local attack surface (attacker must already execute code on the host with low privileges).
- No user interaction required once code runs (UI:N).
- High confidentiality impact (C:H), consistent with leaking sensitive process/memory-related information.
Impact
Even though CVE-2026-20805 is “only” information disclosure, it targets DWM, a high-value Windows component responsible for rendering the desktop, meaning it’s widely present and attractive to adversaries.
In real-world attack chains, memory disclosure flaws like this are commonly used to weaken exploit mitigations such as ASLR by leaking memory addresses, which significantly improves exploit reliability. When combined with privilege escalation vulnerabilities, this information can enable full system compromise while reducing crashes and noisy failures, allowing attackers to operate more stealthily after initial access.
Affected systems
NVD lists a broad set of Windows client and server versions as affected (CPEs include Windows 10/11 and Windows Server editions), with remediation reflected as “versions up to (excluding)” specific build numbers.
Examples from NVD’s affected configuration list include:
- Windows 10 (1607, 1809, 21H2, 22H2)
- Windows 11 (23H2, 24H2, 25H2)
- Windows Server (2012/R2, 2016, 2019, 2022, 2022 23H2, 2025)
Bottom line: treat this as widely applicable across supported Windows fleets and patch accordingly.
Exploitation Status
Microsoft and multiple security vendors/reporting outlets state exploitation was detected in the wild prior to patch availability (i.e., a zero-day).
On January 13th, CVE-2026-20805 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of February 3, 2026 (useful as a prioritization benchmark even for non-federal orgs).
Attack Chain Scenarios
Because this is a local info disclosure, exploitation usually appears after initial access, such as:
- Phishing or drive-by leading to user-mode code execution
- Malicious installer / trojanized software execution
- Existing foothold (e.g., remote access tool) running under a standard user
From there, CVE-2026-20805 can be used to extract memory layout information and then chain into:
- A separate EoP bug (to SYSTEM)
- A sandbox escape path
- A more reliable exploit against a privileged process
Recommended Actions
Patch deployment
- Apply Microsoft’s January 2026 Patch Tuesday updates across Windows endpoints and servers, prioritizing:
- User workstations with browser/email exposure
- RDS/VDI hosts (multi-user environments amplify risk)
- Admin workstations and jump boxes
- User workstations with browser/email exposure
Reduce post-compromise blast radius
- Enforce least privilege (remove local admin where not required)
- Enable/strengthen credential protections (Credential Guard where feasible)
- Harden application control (WDAC/AppLocker policies for user-writable execution)
Improve exploit-chain visibility
- Ensure EDR coverage on endpoints, not just servers
- Turn on logging that supports privilege/persistence detection (Sysmon where standard in your environment)
Stay Safe. Stay Secure
OP Innovate Research Team
