CVE-2026-20856

High

Published: 13 January 2026

Published

13 January 2026

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires implementation of input validation mechanisms at WSUS entry points to prevent remote code execution from inadequately validated network inputs as exploited in CVE-2026-20856.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching of the specific improper input validation vulnerability in WSUS as detailed in the Microsoft advisory for CVE-2026-20856.

SC-7 Boundary Protection partial match

prevent

Enforces boundary protection for the network-accessible WSUS service to monitor and control communications, reducing the risk of malformed inputs reaching the vulnerable input validation component in CVE-2026-20856.

Security SummaryAI

CVE-2026-20856 is an improper input validation vulnerability (CWE-20) affecting the Windows Server Update Service (WSUS). Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw enables an unauthorized attacker to execute arbitrary code over a network due to inadequate validation of inputs processed by WSUS.

An unauthorized attacker with network access can exploit this vulnerability remotely without requiring privileges or user interaction, though it demands high attack complexity. Successful exploitation allows remote code execution, potentially compromising confidentiality, integrity, and availability at a high level, such as full system control on the targeted WSUS server.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20856 provides details on mitigation and available patches.

Details

CWE(s): CWE-20

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.8783 · ≤ 10.0.14393.8783

microsoft

windows 10 1809

≤ 10.0.17763.8276 · ≤ 10.0.17763.8276

microsoft

windows 10 21h2

≤ 10.0.19044.6809

microsoft

windows 10 22h2

≤ 10.0.19045.6809

microsoft

windows 11 23h2

≤ 10.0.22631.6491

microsoft

windows 11 24h2

≤ 10.0.26100.7623

microsoft

windows 11 25h2

≤ 10.0.26200.7623

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.8783

microsoft

windows server 2019

≤ 10.0.17763.8276

+3 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-20856 enables remote code execution via improper input validation in the public-facing WSUS application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20856
Vendor Advisory · secure@microsoft.com