In the January 2026 Patch Tuesday, Microsoft fixed CVE-2026-20854, a remote code execution (RCE) vulnerability rated as critical in the Windows Local Security Authority Subsystem Service (LSASS). It is one of six critical RCE flaws the company resolved in its first monthly update of the year, part of a batch that addressed more than a hundred vulnerabilities.
What the vulnerability is
According to the National Vulnerability Database (NVD), this is a use-after-free (CWE-416): a chunk of memory that has already been freed is reused, which can lead to memory corruption and, in the worst case, arbitrary code execution. The flaw lives in LSASS, the Windows process responsible for enforcing the system’s security policy, validating logons, and managing authentication and access tokens. Compromising this component is especially sensitive, because LSASS handles credentials and has long been a target for attackers seeking to steal hashes and secrets.
The assigned CVSS 3.1 vector is AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, with a base score of 7.5 (high). In practice, this means the attack is carried out over the network (AV:N), requires no victim interaction (UI:N), and needs the attacker to hold low privileges on the system (PR:L). The high attack complexity (AC:H) means certain conditions must be met to exploit it reliably, which somewhat lowers the likelihood of mass exploitation but does not remove the risk. The impact is total across confidentiality, integrity, and availability.
Who is affected
The affected versions confirmed by NVD are:
- Windows 11 version 24H2 (before build 10.0.26100.7623)
- Windows 11 version 25H2 (before build 10.0.26200.7623)
- Windows Server 2025 and its Server Core installation (before build 10.0.26100.32230)
Server environments are the most exposed: a domain controller or an authentication server compromised through LSASS can give an attacker a very valuable foothold for lateral movement within a corporate network.
Severity and exploitation status
Microsoft rated the flaw as critical within the month’s RCE set. At the time the patch was published there was no documented active exploitation of this specific CVE (unlike the CVE-2026-20805 zero-day from the same Patch Tuesday), but its nature —RCE in a network-accessible authentication component— justifies priority patching.
Mitigation and patch
The only recommended fix is to apply the January 2026 cumulative updates through Windows Update or WSUS/SCCM, installing at least the builds listed above. There is no alternative mitigation equivalent to the patch for a use-after-free of this kind. As complementary best practices, you should:
- Restrict network access to servers and limit privileged accounts.
- Enable credential protections such as Credential Guard and additional LSASS protection (RunAsPPL / LSA protection), which make abuse of the process harder.
- Segment the network to reduce the exposure surface of domain controllers.
For administrators managing mixed Linux and Windows fleets, this case is a reminder of how important it is to isolate and harden authentication services. If you work with mandatory access controls on Linux, you may find our guide on SELinux and AppArmor useful.
If you manage Windows Server, check the Windows Server page for its life cycle and supported versions.