Report Name: Microsoft Patch Tuesday, January 2026Generated: 2026-01-14 11:58:41
| Product Name | Prevalence | U | C | H | M | L | A | Comment |
|---|---|---|---|---|---|---|---|---|
| Windows Kernel | 0.9 | 3 | 3 | Windows Kernel | ||||
| Windows NTLM | 0.9 | 2 | 2 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | ||||
| Windows Win32k | 0.9 | 3 | 3 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | ||||
| Desktop Windows Manager | 0.8 | 1 | 1 | Windows component | ||||
| DirectX Graphics Kernel | 0.8 | 2 | 2 | DirectX Graphics Kernel | ||||
| Host Process for Windows Tasks | 0.8 | 1 | 1 | Windows component | ||||
| MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver | 0.8 | 1 | 1 | Windows component | ||||
| Microsoft DWM Core Library | 0.8 | 1 | 1 | Windows component | ||||
| Microsoft Office | 0.8 | 2 | 2 | Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer | ||||
| Microsoft Windows File Explorer | 0.8 | 1 | 1 | Windows component | ||||
| Tablet Windows User Interface (TWINUI) Subsystem | 0.8 | 2 | 2 | Windows component | ||||
| Windows Admin Center | 0.8 | 1 | 1 | Windows component | ||||
| Windows Ancillary Function Driver for WinSock | 0.8 | 3 | 3 | Windows component | ||||
| Windows Client-Side Caching (CSC) Service | 0.8 | 1 | 1 | Windows component | ||||
| Windows Clipboard Server | 0.8 | 1 | 1 | Windows component | ||||
| Windows Cloud Files Mini Filter Driver | 0.8 | 2 | 2 | Windows component | ||||
| Windows Common Log File System Driver | 0.8 | 1 | 1 | Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs | ||||
| Windows Connected Devices Platform Service | 0.8 | 1 | 1 | Windows component | ||||
| Windows Deployment Services | 0.8 | 1 | 1 | Windows component | ||||
| Windows Error Reporting Service | 0.8 | 1 | 1 | Windows component | ||||
| Windows File Explorer | 0.8 | 5 | 5 | Windows component | ||||
| Windows Graphics Component | 0.8 | 1 | 1 | Windows component | ||||
| Windows HTTP.sys | 0.8 | 1 | 1 | Windows component | ||||
| Windows Hello | 0.8 | 2 | 2 | Windows component | ||||
| Windows Installer | 0.8 | 1 | 1 | Windows component | ||||
| Windows Kerberos | 0.8 | 2 | 2 | Windows component | ||||
| Windows Kernel Memory | 0.8 | 1 | 1 | Windows component | ||||
| Windows Kernel-Mode Driver | 0.8 | 1 | 1 | Windows component | ||||
| Windows Local Security Authority Subsystem Service (LSASS) | 0.8 | 1 | 1 | 2 | Windows component | |||
| Windows Local Session Manager (LSM) | 0.8 | 1 | 1 | Windows component | ||||
| Windows Management Services | 0.8 | 12 | 12 | Windows component | ||||
| Windows Media | 0.8 | 1 | 1 | Windows component | ||||
| Windows NDIS | 0.8 | 1 | 1 | Windows component | ||||
| Windows NTFS | 0.8 | 2 | 2 | The default file system of the Windows NT family | ||||
| Windows Remote Assistance | 0.8 | 1 | 1 | Windows component | ||||
| Windows Remote Procedure Call Interface Definition Language (IDL) | 0.8 | 1 | 1 | Windows component | ||||
| Windows Routing and Remote Access Service (RRAS) | 0.8 | 1 | 1 | 2 | Windows component | |||
| Windows SMB Server | 0.8 | 6 | 6 | Windows component | ||||
| Windows Server Update Service (WSUS) | 0.8 | 1 | 1 | Windows component | ||||
| Windows Telephony Service | 0.8 | 1 | 1 | Windows component | ||||
| Windows Virtualization-Based Security (VBS) | 0.8 | 2 | 2 | Windows component | ||||
| Windows Virtualization-Based Security (VBS) Enclave | 0.8 | 2 | 2 | Windows component | ||||
| Windows WalletService | 0.8 | 1 | 1 | Windows component | ||||
| Windows Win32 Kernel Subsystem | 0.8 | 1 | 1 | Windows component | ||||
| Windows rndismp6.sys | 0.8 | 1 | 1 | Windows component | ||||
| Microsoft SharePoint | 0.7 | 1 | 1 | 2 | Microsoft SharePoint | |||
| Microsoft Excel | 0.6 | 6 | 6 | MS Office product | ||||
| Microsoft Word | 0.6 | 2 | 2 | Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product. | ||||
| Windows Hyper-V | 0.6 | 1 | 1 | Hardware virtualization component of the client editions of Windows NT | ||||
| Azure Connected Machine Agent | 0.5 | 1 | 1 | Azure Connected Machine Agent | ||||
| Azure Core shared client library for Python | 0.5 | 1 | 1 | Azure Core shared client library for Python | ||||
| Capability Access Management Service (camsvc) | 0.5 | 5 | 5 | Capability Access Management Service (camsvc) | ||||
| Desktop Window Manager | 0.5 | 1 | 1 | Desktop Window Manager | ||||
| Dynamic Root of Trust for Measurement (DRTM) | 0.5 | 1 | 1 | Dynamic Root of Trust for Measurement (DRTM) | ||||
| Inbox COM Objects (Global Memory) | 0.5 | 1 | 1 | Inbox COM Objects (Global Memory) | ||||
| LDAP Tampering Vulnerability | 0.5 | 1 | 1 | LDAP Tampering Vulnerability | ||||
| Microsoft Office Click-To-Run | 0.5 | 1 | 1 | Microsoft Office Click-To-Run | ||||
| Microsoft SQL Server | 0.5 | 1 | 1 | Microsoft SQL Server | ||||
| Microsoft SharePoint Server | 0.5 | 3 | 3 | Microsoft SharePoint Server | ||||
| Motorola SM56 Modem WDM Driver | 0.5 | 1 | 1 | Motorola SM56 Modem WDM Driver is a Windows kernel-mode driver package used to support Motorola SM56 soft modems. It includes the signed driver SmSerl64.sys, which handles low-level hardware interactions for modem functionality. | ||||
| Remote Procedure Call | 0.5 | 1 | 1 | Remote Procedure Call | ||||
| Secure Boot Certificate Expiration | 0.5 | 1 | 1 | Secure Boot Certificate Expiration | ||||
| TPM Trustlet | 0.5 | 1 | 1 | TPM Trustlet |
| Vulnerability Type | Criticality | U | C | H | M | L | A |
|---|---|---|---|---|---|---|---|
| Remote Code Execution | 1.0 | 1 | 10 | 11 | 22 | ||
| Security Feature Bypass | 0.9 | 3 | 3 | ||||
| Elevation of Privilege | 0.85 | 1 | 55 | 56 | |||
| Information Disclosure | 0.83 | 1 | 22 | 23 | |||
| Denial of Service | 0.7 | 2 | 2 | ||||
| Spoofing | 0.4 | 5 | 5 | ||||
| Tampering | 0.3 | 3 | 3 |
| Source | U | C | H | M | L | A |
|---|---|---|---|---|---|---|
| Qualys | 7 | 12 | 19 | |||
| Tenable | 6 | 2 | 8 | |||
| Rapid7 | 2 | 1 | 3 | |||
| ZDI | 2 | 2 | 4 |
1. 
Remote Code Execution - Windows Deployment Services (CVE-2026-0386) - Critical [609]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:OSMAN1337-SECURITY:CVE-2025-54100 website | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
2. 
Elevation of Privilege - MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver (CVE-2023-31096) - High [594]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:cschwarz1.github.io website | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00022, EPSS Percentile is 0.05279 |
Qualys: MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability Microsoft mentioned in the advisory that “the vulnerabilities in the third-party Agere Soft Modem drivers that ship natively with supported Windows operating systems.” Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. Microsoft fixes this vulnerability by removing agrsm64.sys and agrsm.sys drivers.
Tenable: Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.
Rapid7: Back in October 2025, Microsoft removed a specific modem driver ltmdm64.sys from all versions of Windows, after it was implicated in CVE-2025-24052, an exploited-in-the-wild elevation of privilege vulnerability. Today sees another couple of modem drivers removed from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096. That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.
Rapid7: Two questions remain: how many more legacy modem drivers are still present on a fully-patched Windows asset, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying living off the land[line] by exploiting an entire class of dusty old device drivers? Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime. In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.
3. 
Information Disclosure - Desktop Window Manager (CVE-2026-20805) - High [517]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Desktop Window Manager | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability An unauthenticated attacker may exploit the vulnerability to disclose information locally. Upon successful exploitation, an attacker can expose a section address from a remote ALPC port, which is user-mode memory. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before February 3, 2026.
Tenable: Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
Tenable: CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability
Tenable: CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.
Tenable: Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
Rapid7: The Windows Desktop Windows Manager (DWM) is a high value target for vulnerability researchers and threat actors, and CVE-2026-20805 is the latest in an occasional series of exploited-in-the-wild zero-day vulnerabilities to have emerged from it. DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something. In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user mode memory where Windows components coordinate various actions between themselves.
Rapid7: The CVSS v3 score of 5.5 evaluates to medium severity, which wouldn’t typically scream “patch me first”, but Microsoft evaluates CVE-2026-20805 as important on their proprietary severity scale, and information disclosure vulnerabilities by their very nature tend to end up with lower CVSS scores, since there’s no direct impact on integrity or availability. Also, Microsoft information disclosure vulnerabilities very rarely end up marked as exploited in the wild; any that do are very likely to be part of a longer exploit chain. In this case, it’s likely that the improperly disclosed memory address gives an attacker a starting point in the hunt for the in-memory address of the DWM process, sidestepping Address Space Layout Randomization (ASLR), and greatly increasing the chance of developing a stable elevation of privilege exploit for DWM rather than a flakey blue screen of death generator.
ZDI: CVE-2026-20805 - Desktop Window Manager Information Disclosure Vulnerability. It’s a bit unusual to see an information disclosure bug exploited in the wild, but that’s what we have here. This bug allows an attacker to leak a section address from a remote ALPC port. Presumably, threat actors would then use the address in the next stage of their exploit chain – probably gaining arbitrary code execution. This shows how memory leaks can be as important as code execution bugs since they make the RCEs reliable. As always, Microsoft offers no indication of how widespread these exploits may be, but considering the source, they are likely limited.
4. Remote Code Execution - Motorola SM56 Modem WDM Driver (CVE-2024-55414) - High [464]
Description: A vulnerability exits in driver SmSerl64.sys in
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Motorola SM56 Modem WDM Driver is a Windows kernel-mode driver package used to support Motorola SM56 soft modems. It includes the signed driver SmSerl64.sys, which handles low-level hardware interactions for modem functionality. | |
| 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
| 0.7 | 10 | EPSS Probability is 0.00495, EPSS Percentile is 0.65102 |
5. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2026-20868) - High [419]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
6. Remote Code Execution - Microsoft Office (CVE-2026-20952) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer | |
| 0.8 | 10 | CVSS Base Score is 8.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
Tenable: CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability
Tenable: CVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as "Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.
ZDI: CVE-2026-20952/202953 - Microsoft Office Remote Code Execution Vulnerability. Another month with Preview Pane exploit vectors in an Office bug. While we are still unaware of any exploitation of these bugs, they keep adding up. It’s only a matter of time until threat actors find a way to use these types of bugs in their exploits. If you are concerned about these, you can take the extra precaution of disabling the Preview Pane, which at least prevents exploitation without user interaction.
7. Remote Code Execution - Microsoft Office (CVE-2026-20953) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer | |
| 0.8 | 10 | CVSS Base Score is 8.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
Tenable: CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability
Tenable: CVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as "Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.
8. Remote Code Execution - Windows Local Security Authority Subsystem Service (LSASS) (CVE-2026-20854) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a core Windows process that handles user authentication, enforces security policies, and manages sensitive credentials (like passwords, NTLM hashes) by generating access tokens for users. A use-after-free flaw in the Windows Local Security Authority Subsystem Service allows an authorized attacker to execute code over a network.
9. Remote Code Execution - Windows Media (CVE-2026-20837) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
10. Remote Code Execution - Windows NTFS (CVE-2026-20840) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | The default file system of the Windows NT family | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tenable: CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability
Tenable: CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.
11. Remote Code Execution - Windows NTFS (CVE-2026-20922) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | The default file system of the Windows NT family | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tenable: CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability
Tenable: CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.
12. Remote Code Execution - Windows Server Update Service (WSUS) (CVE-2026-20856) - High [407]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 8.1. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
13. Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) - High [402]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.7 | 14 | Microsoft SharePoint | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
14. Elevation of Privilege - Windows Win32k (CVE-2026-20811) - Medium [397]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
15. Elevation of Privilege - Windows Win32k (CVE-2026-20920) - Medium [397]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
16. Elevation of Privilege - Windows Win32k (CVE-2026-20863) - Medium [385]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
17. Elevation of Privilege - Desktop Windows Manager (CVE-2026-20871) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tenable: Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
18. Elevation of Privilege - Host Process for Windows Tasks (CVE-2026-20941) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
19. Elevation of Privilege - Windows Admin Center (CVE-2026-20965) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
20. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-20810) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
21. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-20831) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
22. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-20860) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
23. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2026-20857) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
24. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2026-20940) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
25. Elevation of Privilege - Windows Common Log File System Driver (CVE-2026-20820) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
26. Elevation of Privilege - Windows Connected Devices Platform Service (CVE-2026-20864) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
27. Elevation of Privilege - Windows Error Reporting Service (CVE-2026-20817) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
28. Elevation of Privilege - Windows Graphics Component (CVE-2026-20822) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20822: Windows Graphics Component Elevation of Privilege Vulnerability A use-after-free flaw in the Microsoft Graphics Component may allow an authenticated attacker to elevate privileges locally. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
29. Elevation of Privilege - Windows HTTP.sys (CVE-2026-20929) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
30. Elevation of Privilege - Windows Installer (CVE-2026-20816) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
31. Elevation of Privilege - Windows Kerberos (CVE-2026-20849) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
32. Elevation of Privilege - Windows Kernel Memory (CVE-2026-20809) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
33. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2026-20859) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
34. Elevation of Privilege - Windows Management Services (CVE-2026-20858) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
35. Elevation of Privilege - Windows Management Services (CVE-2026-20861) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
36. Elevation of Privilege - Windows Management Services (CVE-2026-20865) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
37. Elevation of Privilege - Windows Management Services (CVE-2026-20866) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
38. Elevation of Privilege - Windows Management Services (CVE-2026-20867) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
39. Elevation of Privilege - Windows Management Services (CVE-2026-20873) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
40. Elevation of Privilege - Windows Management Services (CVE-2026-20874) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
41. Elevation of Privilege - Windows Management Services (CVE-2026-20877) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
42. Elevation of Privilege - Windows Management Services (CVE-2026-20918) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
43. Elevation of Privilege - Windows Management Services (CVE-2026-20923) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
44. Elevation of Privilege - Windows Management Services (CVE-2026-20924) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
45. Elevation of Privilege - Windows Remote Procedure Call Interface Definition Language (IDL) (CVE-2026-20832) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
46. Elevation of Privilege - Windows Routing and Remote Access Service (RRAS) (CVE-2026-20843) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
47. Elevation of Privilege - Windows SMB Server (CVE-2026-20848) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
48. Elevation of Privilege - Windows SMB Server (CVE-2026-20919) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
49. Elevation of Privilege - Windows SMB Server (CVE-2026-20921) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
50. Elevation of Privilege - Windows SMB Server (CVE-2026-20926) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
51. Elevation of Privilege - Windows SMB Server (CVE-2026-20934) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
52. Elevation of Privilege - Windows Telephony Service (CVE-2026-20931) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 8.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
53. Elevation of Privilege - Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20938) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
54. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2026-20870) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
55. Information Disclosure - Tablet Windows User Interface (TWINUI) Subsystem (CVE-2026-20826) - Medium [376]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
56. Remote Code Execution - Microsoft Excel (CVE-2026-20946) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
57. Remote Code Execution - Microsoft Excel (CVE-2026-20950) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
58. Remote Code Execution - Microsoft Excel (CVE-2026-20955) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20955: Microsoft Excel Remote Code Execution Vulnerability Successful exploitation of the vulnerability may allow an unauthenticated attacker to achieve remote code execution.
59. Remote Code Execution - Microsoft Excel (CVE-2026-20956) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
60. Remote Code Execution - Microsoft Excel (CVE-2026-20957) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20957: Microsoft Excel Remote Code Execution Vulnerability An integer underflow flaw in Microsoft Office Excel allows an unauthenticated attacker to achieve remote code execution. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
61. Remote Code Execution - Microsoft Word (CVE-2026-20944) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product. | |
| 0.8 | 10 | CVSS Base Score is 8.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20944: Microsoft Word Remote Code Execution Vulnerability An out-of-bounds read flaw in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution. An attacker must send the user a malicious file and convince them to open it for the vulnerability to be successfully exploited.
62. Remote Code Execution - Microsoft Word (CVE-2026-20948) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product. | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
63. Information Disclosure - Windows Kernel (CVE-2026-20818) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.9 | 14 | Windows Kernel | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
64. Information Disclosure - Windows Kernel (CVE-2026-20838) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.9 | 14 | Windows Kernel | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
65. Remote Code Execution - Microsoft SharePoint Server (CVE-2026-20947) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Microsoft SharePoint Server | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
66. Elevation of Privilege - DirectX Graphics Kernel (CVE-2026-20814) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | DirectX Graphics Kernel | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
67. Elevation of Privilege - DirectX Graphics Kernel (CVE-2026-20836) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | DirectX Graphics Kernel | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
68. Elevation of Privilege - Microsoft DWM Core Library (CVE-2026-20842) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
69. Elevation of Privilege - Windows Clipboard Server (CVE-2026-20844) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
70. Elevation of Privilege - Windows File Explorer (CVE-2026-20808) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
71. Elevation of Privilege - Windows Local Session Manager (LSM) (CVE-2026-20869) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
72. Elevation of Privilege - Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 6.7. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability A heap-based buffer overflow flaw in Windows Virtualization-Based Security (VBS) Enclave could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain Virtual Trust Level 2 (VTL2) privileges.
ZDI: CVE-2026-20876 – Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability. VBS is a newer security feature in Windows, and Virtual Trust Levels (VTL) serve as different privilege levels. VTL2 is currently the highest privileged level, and this bug allows attackers to escalate to VTL2. Microsoft doesn’t say if you need to be at VTL0 or VTL1 to exploit this bug. As far as I can recall, this is the first VTL escalation bug patched within VBS. Microsoft lists this as CVSS 6.7, but I believe this is a scope change since you’re traversing VTL levels. Taking that into consideration makes the CVSS score 8.2 (High).
73. Elevation of Privilege - Windows WalletService (CVE-2026-20853) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
74. 
Security Feature Bypass - Windows Remote Assistance (CVE-2026-20824) - Medium [365]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
75. Remote Code Execution - Azure Core shared client library for Python (CVE-2026-21226) - Medium [357]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Azure Core shared client library for Python | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
76. Remote Code Execution - Microsoft SharePoint Server (CVE-2026-20951) - Medium [357]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Microsoft SharePoint Server | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
77. Security Feature Bypass - Microsoft Excel (CVE-2026-20949) - Medium [355]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
78. 
Denial of Service - Windows Local Security Authority Subsystem Service (LSASS) (CVE-2026-20875) - Medium [353]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
79. Information Disclosure - Tablet Windows User Interface (TWINUI) Subsystem (CVE-2026-20827) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
80. Information Disclosure - Windows Client-Side Caching (CSC) Service (CVE-2026-20839) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
81. Information Disclosure - Windows File Explorer (CVE-2026-20823) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
82. Information Disclosure - Windows File Explorer (CVE-2026-20932) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
83. Information Disclosure - Windows File Explorer (CVE-2026-20937) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
84. Information Disclosure - Windows File Explorer (CVE-2026-20939) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
85. Information Disclosure - Windows Kerberos (CVE-2026-20833) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
86. Information Disclosure - Windows Management Services (CVE-2026-20862) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
87. Information Disclosure - Windows Virtualization-Based Security (VBS) (CVE-2026-20819) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
88. Information Disclosure - Windows Virtualization-Based Security (VBS) (CVE-2026-20935) - Medium [352]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
89. Remote Code Execution - Inbox COM Objects (Global Memory) (CVE-2026-21219) - Medium [345]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Inbox COM Objects (Global Memory) | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
90. Information Disclosure - Windows rndismp6.sys (CVE-2026-20828) - Medium [341]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.5 | 10 | CVSS Base Score is 4.6. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
91. Elevation of Privilege - Azure Connected Machine Agent (CVE-2026-21224) - Medium [330]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Azure Connected Machine Agent | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
92. Information Disclosure - Windows NDIS (CVE-2026-20936) - Medium [329]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
93. Information Disclosure - Microsoft SharePoint (CVE-2026-20958) - Medium [324]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.7 | 14 | Microsoft SharePoint | |
| 0.5 | 10 | CVSS Base Score is 5.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
94. Elevation of Privilege - Capability Access Management Service (camsvc) (CVE-2026-20815) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Capability Access Management Service (camsvc) | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
95. Elevation of Privilege - Capability Access Management Service (camsvc) (CVE-2026-20830) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Capability Access Management Service (camsvc) | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
96. Elevation of Privilege - Capability Access Management Service (camsvc) (CVE-2026-21221) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Capability Access Management Service (camsvc) | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
97. Elevation of Privilege - Microsoft Office Click-To-Run (CVE-2026-20943) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Microsoft Office Click-To-Run | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
98. Elevation of Privilege - Microsoft SQL Server (CVE-2026-20803) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Microsoft SQL Server | |
| 0.7 | 10 | CVSS Base Score is 7.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
99. Denial of Service - Windows SMB Server (CVE-2026-20927) - Medium [317]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.5 | 10 | CVSS Base Score is 5.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
100. Security Feature Bypass - Secure Boot Certificate Expiration (CVE-2026-21265) - Medium [315]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.5 | 14 | Secure Boot Certificate Expiration | |
| 0.6 | 10 | CVSS Base Score is 6.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21265: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability Upon successful exploitation of the vulnerability, an attacker could bypass Secure Boot. Microsoft has informed that Windows Secure Boot certificates issued in 2011 are nearing expiration, and systems that are not updated will have an increased risk of threat actors bypassing Secure Boot. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Tenable: CVE-2026-21265 is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”
Rapid7: Today sees the publication of CVE-2026-21265, which is a critical security feature bypass vulnerability affecting Windows Secure Boot. Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet. Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.
ZDI: CVE-2026-21265 - Secure Boot Certificate Expiration Security Feature Bypass Vulnerability. While unlikely to be exploited, this bug could cause quite a bit of headaches for administrators. You will need to update the expiring certificates to continue receiving security updates or trusting new boot loaders. Again, the chances this CVE gets exploited are low. However, the chance this CVE gets ignored and devices using Secure Boot don’t receive patches is quite high. Also, this is listed as publicly known, but that just means Microsoft published information about this months ago.
101. 
Spoofing - Windows NTLM (CVE-2026-20872) - Medium [304]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.9 | 14 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
102. Spoofing - Windows NTLM (CVE-2026-20925) - Medium [304]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.9 | 14 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
103. Information Disclosure - Capability Access Management Service (camsvc) (CVE-2026-20835) - Medium [302]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Capability Access Management Service (camsvc) | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
104. Information Disclosure - Capability Access Management Service (camsvc) (CVE-2026-20851) - Medium [302]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Capability Access Management Service (camsvc) | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
105. Information Disclosure - Remote Procedure Call (CVE-2026-20821) - Medium [302]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Remote Procedure Call | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
106. Information Disclosure - TPM Trustlet (CVE-2026-20829) - Medium [302]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | TPM Trustlet | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
107. Information Disclosure - Windows Hyper-V (CVE-2026-20825) - Medium [295]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.6 | 14 | Hardware virtualization component of the client editions of Windows NT | |
| 0.4 | 10 | CVSS Base Score is 4.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
108. Spoofing - Microsoft Windows File Explorer (CVE-2026-20847) - Medium [288]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
109. 
Tampering - Windows Hello (CVE-2026-20804) - Medium [282]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.3 | 15 | Tampering | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.7. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
110. Tampering - Windows Hello (CVE-2026-20852) - Medium [282]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.3 | 15 | Tampering | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.7. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
111. Spoofing - Windows Kernel (CVE-2026-20834) - Medium [280]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.9 | 14 | Windows Kernel | |
| 0.5 | 10 | CVSS Base Score is 4.6. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
112. Information Disclosure - Dynamic Root of Trust for Measurement (DRTM) (CVE-2026-20962) - Medium [279]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Dynamic Root of Trust for Measurement (DRTM) | |
| 0.4 | 10 | CVSS Base Score is 4.4. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
113. Tampering - LDAP Tampering Vulnerability (CVE-2026-20812) - Medium [220]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.3 | 15 | Tampering | |
| 0.5 | 14 | LDAP Tampering Vulnerability | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
114. Spoofing - Microsoft SharePoint Server (CVE-2026-20959) - Medium [214]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.5 | 14 | Microsoft SharePoint Server | |
| 0.5 | 10 | CVSS Base Score is 4.6. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Information Disclosure (1)Qualys: CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability An unauthenticated attacker may exploit the vulnerability to disclose information locally. Upon successful exploitation, an attacker can expose a section address from a remote ALPC port, which is user-mode memory. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before February 3, 2026.
Tenable: Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
Tenable: CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability
Tenable: CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.
Tenable: Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
Rapid7: The Windows Desktop Windows Manager (DWM) is a high value target for vulnerability researchers and threat actors, and CVE-2026-20805 is the latest in an occasional series of exploited-in-the-wild zero-day vulnerabilities to have emerged from it. DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something. In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user mode memory where Windows components coordinate various actions between themselves.
Rapid7: The CVSS v3 score of 5.5 evaluates to medium severity, which wouldn’t typically scream “patch me first”, but Microsoft evaluates CVE-2026-20805 as important on their proprietary severity scale, and information disclosure vulnerabilities by their very nature tend to end up with lower CVSS scores, since there’s no direct impact on integrity or availability. Also, Microsoft information disclosure vulnerabilities very rarely end up marked as exploited in the wild; any that do are very likely to be part of a longer exploit chain. In this case, it’s likely that the improperly disclosed memory address gives an attacker a starting point in the hunt for the in-memory address of the DWM process, sidestepping Address Space Layout Randomization (ASLR), and greatly increasing the chance of developing a stable elevation of privilege exploit for DWM rather than a flakey blue screen of death generator.
ZDI: CVE-2026-20805 - Desktop Window Manager Information Disclosure Vulnerability. It’s a bit unusual to see an information disclosure bug exploited in the wild, but that’s what we have here. This bug allows an attacker to leak a section address from a remote ALPC port. Presumably, threat actors would then use the address in the next stage of their exploit chain – probably gaining arbitrary code execution. This shows how memory leaks can be as important as code execution bugs since they make the RCEs reliable. As always, Microsoft offers no indication of how widespread these exploits may be, but considering the source, they are likely limited.
Remote Code Execution (1)Elevation of Privilege (1)Qualys: MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability Microsoft mentioned in the advisory that “the vulnerabilities in the third-party Agere Soft Modem drivers that ship natively with supported Windows operating systems.” Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. Microsoft fixes this vulnerability by removing agrsm64.sys and agrsm.sys drivers.
Tenable: Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.
Rapid7: Back in October 2025, Microsoft removed a specific modem driver ltmdm64.sys from all versions of Windows, after it was implicated in CVE-2025-24052, an exploited-in-the-wild elevation of privilege vulnerability. Today sees another couple of modem drivers removed from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096. That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.
Rapid7: Two questions remain: how many more legacy modem drivers are still present on a fully-patched Windows asset, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying living off the land[line] by exploiting an entire class of dusty old device drivers? Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime. In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.
Remote Code Execution (21)Qualys: CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
Tenable: CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability
Tenable: CVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as "Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.
ZDI: CVE-2026-20952/202953 - Microsoft Office Remote Code Execution Vulnerability. Another month with Preview Pane exploit vectors in an Office bug. While we are still unaware of any exploitation of these bugs, they keep adding up. It’s only a matter of time until threat actors find a way to use these types of bugs in their exploits. If you are concerned about these, you can take the extra precaution of disabling the Preview Pane, which at least prevents exploitation without user interaction.
Qualys: CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a core Windows process that handles user authentication, enforces security policies, and manages sensitive credentials (like passwords, NTLM hashes) by generating access tokens for users. A use-after-free flaw in the Windows Local Security Authority Subsystem Service allows an authorized attacker to execute code over a network.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tenable: CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability
Tenable: CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.
Qualys: CVE-2026-20955: Microsoft Excel Remote Code Execution Vulnerability Successful exploitation of the vulnerability may allow an unauthenticated attacker to achieve remote code execution.
Qualys: CVE-2026-20957: Microsoft Excel Remote Code Execution Vulnerability An integer underflow flaw in Microsoft Office Excel allows an unauthenticated attacker to achieve remote code execution. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Qualys: CVE-2026-20944: Microsoft Word Remote Code Execution Vulnerability An out-of-bounds read flaw in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution. An attacker must send the user a malicious file and convince them to open it for the vulnerability to be successfully exploited.
Elevation of Privilege (55)Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tenable: Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Qualys: CVE-2026-20822: Windows Graphics Component Elevation of Privilege Vulnerability A use-after-free flaw in the Microsoft Graphics Component may allow an authenticated attacker to elevate privileges locally. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution. CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Qualys: CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability A heap-based buffer overflow flaw in Windows Virtualization-Based Security (VBS) Enclave could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain Virtual Trust Level 2 (VTL2) privileges.
ZDI: CVE-2026-20876 – Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability. VBS is a newer security feature in Windows, and Virtual Trust Levels (VTL) serve as different privilege levels. VTL2 is currently the highest privileged level, and this bug allows attackers to escalate to VTL2. Microsoft doesn’t say if you need to be at VTL0 or VTL1 to exploit this bug. As far as I can recall, this is the first VTL escalation bug patched within VBS. Microsoft lists this as CVSS 6.7, but I believe this is a scope change since you’re traversing VTL levels. Taking that into consideration makes the CVSS score 8.2 (High).
Information Disclosure (22)Security Feature Bypass (3)Qualys: CVE-2026-21265: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability Upon successful exploitation of the vulnerability, an attacker could bypass Secure Boot. Microsoft has informed that Windows Secure Boot certificates issued in 2011 are nearing expiration, and systems that are not updated will have an increased risk of threat actors bypassing Secure Boot. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Tenable: CVE-2026-21265 is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”
Rapid7: Today sees the publication of CVE-2026-21265, which is a critical security feature bypass vulnerability affecting Windows Secure Boot. Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet. Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.
ZDI: CVE-2026-21265 - Secure Boot Certificate Expiration Security Feature Bypass Vulnerability. While unlikely to be exploited, this bug could cause quite a bit of headaches for administrators. You will need to update the expiring certificates to continue receiving security updates or trusting new boot loaders. Again, the chances this CVE gets exploited are low. However, the chance this CVE gets ignored and devices using Secure Boot don’t receive patches is quite high. Also, this is listed as publicly known, but that just means Microsoft published information about this months ago.
Denial of Service (2)Spoofing (5)Tampering (3)