It was Patch Tuesday overnight, and one of the more than a hundred vulnerabilities addressed by Microsoft is already being actively exploited.
CVE-2026-20805 was added to the United States Cybersecurity and Infrastructure Security Agency (CISA) overnight, as Microsoft revealed it had detected active exploitation of the flaw.
The vulnerability is described as “exposure of sensitive information to an unauthorised actor in Desktop Windows Manager allows an authorised attacker to disclose information locally,” though Rapid7 lead software engineer Adam Barnett went into more detail on the matter in this month’s Patch Tuesday round-up.
“The CVSS v3 score of 5.5 evaluates to medium severity, which wouldn’t typically scream ‘patch me first,’ but Microsoft evaluates CVE-2026-20805 as important on their proprietary severity scale. Information disclosure vulnerabilities by their very nature tend to end up with lower CVSS scores, since there’s no direct impact on integrity or availability,” Barnett said.
“Additionally, Microsoft information disclosure vulnerabilities very rarely end up marked as exploited in the wild; any that do are very likely to be part of a longer exploit chain. In this case, it’s likely that the improperly disclosed memory address gives an attacker a starting point in the hunt for the in-memory address of the DWM process, sidestepping Address Space Layout Randomisation (ASLR), and greatly increasing the chance of developing a stable elevation of privilege exploit for DWM rather than a flaky blue screen of death generator.”
CVE-2026-20805 impacts Windows 10 versions from 10.0.17763.0 before 10.0.17763.8276.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.