The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805, a notable Windows Desktop Window Manager vulnerability, to its Known Exploited Vulnerabilities catalog. This flaw is part of the security updates issued by Microsoft during the January 2026 Patch Tuesday.
Patch Tuesday Updates
In its January 2026 rollout, Microsoft released updates addressing 114 CVEs across its platforms, including Windows, Office, Azure, Edge, and others. CVE-2026-20805 stands out as it is actively exploited in the wild and poses a significant risk. This vulnerability, with a CVSS score of 8.7, allows attackers to leak memory information without executing malicious code directly.
Implications and Recommendations
The exploitation of CVE-2026-20805 can help attackers bypass security protocols by leaking sensitive memory data. CISA has mandated federal agencies to patch this vulnerability by 2026-02-03, urging similar action from private organizations. Although the types of data disclosed include section addresses from remote ALPC ports in user-mode memory, Microsoft has not detailed the specific attacks leveraging this flaw.
- CISA: Added CVE-2026-20805 to its catalog.
- Microsoft: Issued updates for 112 vulnerabilities on 2026-01.
- Action Deadline: 2026-02-03 for federal agencies.
- Vulnerability Impact: Information leak in Desktop Window Manager.
- Recommendation: Private firms should also secure their systems.
