Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-20805

Published 2026-01-13
Updated 4 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.14393.8783
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
5.5
/ 10
Medium
Severity Details
Base score
5.5 Medium
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Description

CVE-2026-20805 is a medium-severity info disclosure flaw in Windows Desktop Windows Manager actively exploited in the wild. Patch immediately.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1607 * 10.0.14393.8783 vulnerable
windows_10_1607 * 10.0.14393.8783 vulnerable
windows_10_1809 * 10.0.17763.8276 vulnerable
windows_10_1809 * 10.0.17763.8276 vulnerable
windows_10_21h2 * 10.0.19044.6809 vulnerable
windows_10_22h2 * 10.0.19045.6809 vulnerable
windows_11_23h2 * 10.0.22631.6491 vulnerable
windows_11_24h2 * 10.0.26100.7623 vulnerable
windows_11_25h2 * 10.0.26200.7623 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8783 vulnerable
windows_server_2019 * 10.0.17763.8276 vulnerable
windows_server_2022 * 10.0.20348.4648 vulnerable
windows_server_2022_23h2 * 10.0.25398.2092 vulnerable
windows_server_2025 * 10.0.26100.7623 vulnerable

Related weakness (CWE)

CWE-200

Remediation plan

1

Apply official patches

Install the latest security updates provided by Microsoft specifically addressing the Desktop Windows Manager (DWM) information disclosure flaw via Windows Update or WSUS.

2

Update affected systems

Ensure Windows 10 (versions prior to 10.0.19045.6809), Windows 11 (prior to 10.0.26100.7623), and Windows Server 2025 are updated to the latest build numbers to mitigate risk.

3

Restrict access

Enforce the principle of least privilege (PoLP) to limit local user access, as this vulnerability requires an authorized local attacker to execute the exploit code on the target system.

4

Monitor for exploitation

Track unusual process behavior associated with dwm.exe and audit local security logs for unauthorized attempts to access sensitive memory regions or system information.

Detection Guidance

Detection should focus on identifying unusual behavior within the Desktop Windows Manager process (dwm.exe). Monitor for unauthorized local users attempting to read sensitive memory or system data. Security teams should leverage Endpoint Detection and Response (EDR) tools to flag suspicious API calls or memory access patterns. Review Windows Event Logs for unexpected process crashes or restarts of the DWM service, which may indicate exploitation attempts or failed exploit payloads.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial