Security

Windows 0-day fixed as CISA adds CVE-2026-20805 — Patch ASAP

Windows 0-day CVE-2026-20805 patched, CISA orders fixes
Patch CVE-2026-20805
  • Key takeaways:
  • Microsoft patched CVE-2026-20805, an ALPC info-disclosure zero-day discovered by its threat-intel team.
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog; federal agencies must patch by Feb 3.
  • The flaw leaks a memory address (undermining ASLR) and has been observed in active attacks; patching is the primary mitigation.
  • This Patch Tuesday included 112 Microsoft CVEs and two other publicly known issues administrators should note.

What the bug does and why it matters

Microsoft’s security update fixes CVE-2026-20805, a medium-severity (CVSS 5.5) information-disclosure flaw in the Windows ALPC mechanism.

The bug lets an authenticated attacker leak a memory address from a remote ALPC port. Exposed addresses can be used to defeat Address Space Layout Randomization (ASLR) and make follow-on code-execution exploits reliable.

Expert analysis

"Presumably, threat actors would then use the address in the next stage of their exploit chain – probably gaining arbitrary code execution," Dustin Childs of Trend Micro’s Zero Day Initiative said in his analysis.

Kev Breen, senior director of cyber threat research at Immersive, warned that revealing code locations "can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack." He also criticized Microsoft for not specifying which components might be involved in exploit chains, saying that omission limits defenders' ability to hunt proactively.

CISA action and required patching

On January 13, the US Cybersecurity and Infrastructure Security Agency added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog.

That listing triggers an agency directive: federal organizations must implement the patch by February 3. CISA noted that vulnerabilities of this type are frequent attack vectors and pose significant federal enterprise risk.

Microsoft response and scope

Microsoft’s threat-intel team discovered the flaw. The company released fixes as part of the first Patch Tuesday of 2026, which documented 112 Microsoft CVEs.

Microsoft declined to provide further comment about active exploitation or attribution; public details about how widespread abuse is remain limited. Given CISA’s listing and observed attacks, defenders should treat the vulnerability as high priority.

Other notable fixes in this update

Secure Boot certificate expiration (CVE-2026-21265)

This 6.4-rated issue stems from expiring 2011 secure-boot certificates. Administrators must update certificates to avoid losing Secure Boot protections and updates.

Agere Modem driver (CVE-2023-31096)

A 7.8-rated elevation-of-privilege flaw in third-party Agere Modem drivers has been addressed; Microsoft removed the drivers in this update.

Office use-after-free bugs

The update also includes Office use-after-free vulnerabilities (CVE-2026-20952 and CVE-2026-20953) that can enable local code execution and remain worth monitoring.

Apply the January 2026 Windows updates immediately, starting with systems exposed to untrusted networks. Prioritize federal compliance if applicable, and validate patches in staging before broad rollout.

Also: review CISA’s Known Exploited Vulnerabilities catalog, monitor telemetry for signs of exploitation, and hunt for related activity if you cannot patch immediately.

Read more