On 13 January 2026, in its first Patch Tuesday of the year, Microsoft fixed CVE-2026-20805, an information-disclosure vulnerability in the Windows Desktop Window Manager (DWM) that was already being actively exploited as a zero-day. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog the same day and set 3 February 2026 as the remediation deadline for U.S. federal agencies.
What the vulnerability is
The Desktop Window Manager is the system component that composes and renders the Windows graphical interface: window effects, transparency, thumbnails. The flaw, classified as CWE-200 (exposure of sensitive information to an unauthorized actor), lets a local, authenticated attacker read the address of a memory section tied to a remote ALPC (Advanced Local Procedure Call) port, which lives in user-mode memory where several Windows components coordinate operations with each other.
At first glance it looks minor: it only reveals a memory address, and on its own it can’t execute code or alter data. That earned it a CVSS 3.1 score of 5.5 (medium), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The real value lies in what it opens up. By leaking an address from the DWM process, an attacker can defeat ASLR (Address Space Layout Randomization), the protection that randomizes where components sit in memory. Knowing that address gives a reliable starting point to chain the flaw with a code-execution or privilege-escalation bug, and an unstable exploit becomes a reliable one.
Who is affected
The issue hits a broad range of Windows versions, including Windows 10, Windows 11 and Windows Server (2012 through 2025). Any system with DWM active and missing the January 2026 patch is vulnerable. Because it needs local authenticated access, the usual scenario is post-exploitation: an attacker who already has a foothold on the machine, via phishing, malware or stolen credentials, uses this flaw as a stepping stone to escalate privileges.
Severity
Its CVSS score is “medium”, but the mix of low complexity, no user interaction and confirmed in-the-wild exploitation makes it a high-priority target for malware operators. CISA adding it to the KEV on the same day as the patch makes clear the threat is real, not theoretical.
Mitigation and patch
The only fix that works is to apply Microsoft’s January 2026 security update. Microsoft published patched build numbers for each supported Windows version. The recommendations are simple:
- Install the January 2026 Patch Tuesday update right away.
- If your environment can’t patch immediately, follow CISA BOD 22-01 guidance or, on unsupported systems, consider retiring them.
- Keep defense-in-depth measures (EDR, least privilege) that make the prior local access the flaw needs harder to get.
This zero-day arrived in an unusually heavy Patch Tuesday: 114 vulnerabilities fixed (113 CVEs per NVD), 8 of them critical. For system administrators it repeats a familiar lesson: an information leak that looks trivial can be the piece that turns an exploit chain into something fully operational.
Source
- BleepingComputer / Microsoft January 2026 Patch Tuesday: https://nvd.nist.gov/vuln/detail/CVE-2026-20805
- CVE detail on NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20805
- Affected system page: /en/windows-desktop