U.S. CISA adds a flaw in Microsoft Windows to its Known Exploited Vulnerabilities catalog
January 14, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Windows vulnerability, tracked as CVE-2026-20805 (CVSS Score of 8.7), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Microsoft Patch Tuesday security updates for January 2026 release 112 CVEs affecting Windows, Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. Including third-party Chromium fixes, the total rises to 114 vulnerabilities.
One of these flaws, tracked as CVE-2026-20805 (CVSS score of 5.5), is actively exploited in attacks in the wild, while two others are labeled as publicly known at release. CVE-2026-20805 is a Windows Desktop Window Manager flaw that lets attackers leak small pieces of memory information. While it does not directly run malicious code, the leaked data can help attackers bypass security protections and make more serious exploits work.
“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” reads the advisory. “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.”
This weakness shows how even limited information leaks can play a key role in full system compromise.
Microsoft did not share details about the attacks exploiting this vulnerability.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 3, 2026.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)