CVE-2026-20805

medium

Description

Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

From the Tenable Blog

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

Published: 2026-01-13

Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805

https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/

https://www.infosecurity-magazine.com/news/microsoft-three-zerodays-busy/

https://therecord.media/desktop-windows-manager-vulnerability-added-to-cisa-list

https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

https://securityaffairs.com/186898/security/u-s-cisa-adds-a-flaw-in-microsoft-windows-to-its-known-exploited-vulnerabilities-catalog.html

https://securityaffairs.com/186888/hacking/microsoft-patch-tuesday-security-updates-for-january-2026-fixed-actively-exploited-zero-day.html

https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/

https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805

Details

Source: Mitre, NVD

Published: 2026-01-13

Updated: 2026-01-14

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.05159