“`html
On January 13, 2026, Microsoft addressed a severe zero-day information disclosure vulnerability in its Desktop Window Manager (DWM) during the Patch Tuesday update after identifying active exploitation in the field.
Designated as CVE-2026-20805, this weakness permits low-privilege local attackers to unveil sensitive user-mode memory, particularly section addresses, through remote ALPC ports. This could assist in additional privilege escalation pathways in actual attacks, necessitating swift patch application across older Windows systems.
The vulnerability received an “Important” severity classification, accompanied by a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Although not exploitable remotely, its low intricacy and absence of user engagement render it a significant target for malware or post-compromise operations.
The Microsoft Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) acknowledged the exploitation, yet stated that no public proof-of-concept is available at this time.
Attackers take advantage of DWM, an essential compositing engine responsible for window rendering, to expose memory addresses. Such disclosures may reveal kernel pointers or process information, aiding in evasion of defenses such as ASLR. Microsoft acknowledges the internal teams for their discovery through coordinated reporting.
Impacted Platforms and Fixes
The vulnerability affects older Windows versions that remain in extended support. Administrators are urged to prioritize updates, as Microsoft categorizes them as “Required.”
Refer to the MSRC Update for comprehensive lifecycle specifics. Meanwhile, limit access for local low-privilege accounts and oversee DWM activities utilizing EDR tools.
This wave of patches highlights persistent threats in legacy DWM components amidst a rise in local privilege escalation methods. Organizations utilizing unsupported versions face an increased risk.
“`