Microsoft patched a critical zero-day information disclosure flaw in its Desktop Window Manager (DWM) on January 13, 2026, in the Patch Tuesday update after detecting active exploitation in the wild.
Tracked as CVE-2026-20805, the vulnerability allows low-privilege local attackers to expose sensitive user-mode memory, specifically section addresses, via remote ALPC ports. This could aid further privilege escalation chains in real-world attacks, prompting urgent patch deployment across legacy Windows systems.
The flaw earned an “Important” severity rating with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). While not remotely exploitable, its low complexity and lack of user interaction make it a prime target for malware or post-compromise operations.
Microsoft Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) confirmed exploitation but noted no public proof-of-concept exists yet.
Attackers exploit DWM, a core compositing engine handling window rendering, to leak memory addresses. This disclosure could reveal kernel pointers or process data, facilitating bypasses of mitigations like ASLR. Microsoft credits internal teams for discovery via coordinated disclosure.
Affected Platforms and Patches
The vulnerability impacts older Windows versions still in extended support. Administrators must prioritize updates, as Microsoft deems them “Required.”
Check the MSRC Update for full lifecycle details. In the interim, restrict local low-privilege accounts and monitor DWM processes via EDR tools.
This patch wave underscores ongoing risks in legacy DWM components amid rising local privilege escalation tactics. Organizations on unsupported builds face heightened exposure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
