The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft Windows Desktop Window Manager (DWM) vulnerability, tracked as CVE-2026-20805, to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft disclosed CVE-2026-20805 as part of its Jan. 13, 2026 Patch Tuesday updates.
The vulnerability is an information-disclosure issue within the DWM component, a core Windows service responsible for rendering graphical user interfaces. A locally authenticated attacker could exploit the flaw to access sensitive memory information.
While the issue does not allow direct remote code execution (RCE), leaked memory data can undermine exploit mitigations such as Address Space Layout Randomization (ASLR).
ASLR is designed to make exploitation more difficult by randomizing memory locations, and exposure of those addresses can significantly improve an attacker’s success rate when chaining multiple vulnerabilities.
What the KEV Listing Means for Organizations
CVE-2026-20805 has a Common Vulnerability Scoring System (CVSS) score of 5.5, placing it in the medium-severity range.
However, CISA’s KEV catalog prioritizes exploitation status over numeric severity scores, listing vulnerabilities that threat actors are already using in the wild.
US Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities within mandated timelines under Binding Operational Directive 22-01.
Although the directive does not apply to private organizations, security leaders across sectors typically treat KEV additions as high-priority patching events.
CVE-2026-20805 affects a broad set of supported Windows client and server platforms, making coverage validation across environments critical.
Impacted server editions include Windows Server 2012, 2012 R2, 2016, 2019, 2022, the 2022 23H2 Edition, and Windows Server 2025. On the client side, affected systems include Windows 10 (versions 1607 through 22H2) and Windows 11 (versions 23H2 through 25H2), across both 32-bit and 64-bit installations where Desktop Window Manager (DWM) is enabled.
Organizations should confirm that January 2026 security updates have been deployed across endpoints, virtual desktops, and server environments where DWM is enabled.
