CISA Adds Windows DWM Flaw to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Federal agencies must apply patches by February 3, 2026.

About CVE-2026-20805

CVE-2026-20805 is an information disclosure vulnerability in Windows Desktop Window Manager (DWM):

• CVSS Score: 5.5 (Medium)
• Attack Vector: Local
• Privileges Required: Low (basic user account)
• Impact: Disclosure of sensitive memory addresses

Why It Matters

While rated Medium severity, information disclosure vulnerabilities are often used as part of exploit chains. Attackers use the leaked information to:

• Defeat ASLR: Address Space Layout Randomization becomes ineffective when memory addresses are known
• Enable reliable exploitation: Other vulnerabilities become easier to exploit with precise memory layout knowledge
• Escalate privileges: Combined with other flaws for complete system compromise

KEV Catalog Requirements

Under Binding Operational Directive 22-01, Federal Civilian Executive Branch (FCEB) agencies must:

1. Identify affected systems within their environments
2. Apply Microsoft's January 2026 security updates
3. Complete remediation by February 3, 2026
4. Report compliance status

Recommendations for All Organizations

While the KEV mandate applies only to federal agencies, CISA recommends all organizations treat KEV entries as high-priority patches. The confirmed active exploitation means attackers are already using this vulnerability—delay increases risk.