CVE-2026-20805
Published: 13 January 2026
Description
Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the information disclosure vulnerability by requiring timely application of vendor patches for the DWM flaw as referenced in MSRC and CISA KEV.
Prevents unauthorized reading and extraction of sensitive information from shared system resources, directly addressing DWM's exposure of sensitive data to local low-privilege attackers.
Provides memory isolation and protection safeguards that limit unauthorized access to sensitive data in DWM's memory spaces exploited by local attackers.
Security SummaryAI
CVE-2026-20805 is an information disclosure vulnerability in the Desktop Windows Manager (DWM) component of Windows, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Published on 2026-01-13, it has a CVSS v3.1 base score of 5.5 (Medium), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact from local exploitation.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows disclosure of sensitive information to an unauthorized actor, without impacting integrity or availability, and with unchanged scope.
Mitigation details are available in the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805. The vulnerability is also referenced in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805.
Details
- CWE(s)
- KEV Date Added
- 13 January 2026