~/home/news/critical-windows-info-disclosure-zero-day-cve-2026-2026-01-17
newsSaturday, January 17, 20268 min read👁 26 views

Critical Windows Info-Disclosure Zero-Day (CVE-2026-20805) Actively Exploited - Patch & CISA Alert

Microsoft disclosed CVE-2026-20805, an info-disclosure flaw that can be chained to remote code execution, and released patches on Jan 14 2026. CISA issued an emergency alert confirming active exploitation, urging immediate remediation across all supported Windows versions.

CVE-2026-20805Windows SecurityPatch Tuesday 2026CISA Alert

Overview

On 14 January 2026 Microsoft released a security update that patches a newly disclosed Windows zero-day, CVE-2026-20805. The vulnerability is an information-disclosure flaw in the Advanced Local Procedure Call (ALPC) subsystem that allows an unauthenticated remote attacker to read kernel memory addresses. When combined with a second vulnerability, the leaked address can defeat Address Space Layout Randomization (ASLR) and lead to remote code execution (RCE). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog the same day, issuing an emergency alert that the flaw is already being weaponised in the wild.

Technical Details

CVE Identifier and Rating

  • CVE-2026-20805 - Information-disclosure via ALPC port
  • CVSS v3.1 base score: 5.5 (Medium) - however, the exploit chain raises the overall risk to critical.

Vulnerable Component

The flaw resides in the Windows kernel’s ALPC implementation, specifically the handling of user-supplied data on a remote ALPC port. An attacker can send a malformed request that causes the kernel to copy a pointer value from kernel space into a user-controlled buffer, leaking a 64-bit memory address.

Exploitation Method

1. Reconnaissance: The attacker establishes a connection to a vulnerable ALPC endpoint on the target system (typically reachable over SMB or a custom RPC service).
2. Memory Leak: By triggering the malformed request, the attacker receives a kernel address (e.g., the base of ntoskrnl.exe or a driver).
3. ASLR Bypass: The leaked address reveals the randomization offset, nullifying ASLR protections.
4. Chaining: The attacker then uses a second vulnerability-often a heap overflow or use-after-free in a privileged driver-to write shellcode at a known location.
5. Remote Code Execution: Final payload executes with SYSTEM or kernel privileges.

Why It’s Dangerous

ALPC is a core inter-process communication mechanism used by many Windows services. Because the leak can be triggered remotely without authentication, it provides a low-cost first step for sophisticated threat actors. The ability to defeat ASLR makes many existing exploit techniques, previously considered impractical, suddenly viable.

Impact Analysis

  • Scope: All supported Windows client and server editions - Windows 10 (1909+), Windows 11, Windows Server 2019, Windows Server 2022, and newer releases.
  • Enterprise Risk: Potential for lateral movement, privilege escalation, and persistence on critical infrastructure.
  • Government: Federal agencies are required to remediate by 3 February 2026 under CISA’s directive.
  • Consumers: Home PCs are also vulnerable; exploitation is less likely but possible via malicious software or compromised network services.

Timeline of Events

  • Early January 2026 - Microsoft’s internal threat-intel team discovers the ALPC memory-leak bug.
  • 14 January 2026 00:36 UTC - Microsoft publishes Security Update Guide (KB 5028234) and releases patches for all affected Windows versions.
  • 14 January 2026 - CISA adds CVE-2026-20805 to the KEV catalog and issues an Emergency Alert (EA-22-01) warning of active exploitation.
  • 15 January 2026 - Security researchers (Trend Micro ZDI, Immersive) publish initial analyses confirming the exploit chain.
  • 3 February 2026 - Deadline for federal agencies to apply the patch, per CISA directive.

Mitigation and Recommendations

  1. Apply the Patch Immediately - Deploy Microsoft Security Update KB 5028234 via WSUS, SCCM, or Windows Update for Business. Verify installation with wmic qfe list brief /format:table | find 5028234.
  2. Prioritise Critical Systems - Patch domain controllers, Exchange servers, Azure AD Connect, and any system exposing RPC/SMB services.
  3. Network Segmentation - Restrict inbound traffic to ports used by ALPC-based services (typically 445/TCP for SMB, 135/TCP for RPC) to trusted subnets.
  4. Enable Exploit Guard - Use Windows Defender Exploit Guard (Attack Surface Reduction rules) to block untrusted binaries that could be used in the second-stage payload.
  5. Monitor for Indicators of Compromise (IoCs) - Look for unusual ALPC traffic, anomalous kernel-mode memory reads, and known exploit signatures (e.g., YARA rules released by CISA).
  6. Fallback Controls - If patching cannot be performed immediately, consider disabling the vulnerable service or applying a temporary registry hardening: HKLM\SYSTEM\CurrentControlSet\Services\ALPC\Parameters\EnableLeakProtection = 1 (subject to testing).

Real-World Impact

Enterprises that rely on Windows-based file servers, virtualization hosts, or remote desktop gateways are at immediate risk. An attacker who gains a kernel address can bypass the ASLR barrier that protects many modern exploits, potentially turning a low-complexity memory-leak into a full-blown ransomware or espionage campaign. Government agencies, already targeted by nation-state actors, face heightened exposure because the KEV listing indicates that at least one advanced threat group is field-testing the chain in the wild.

Expert Opinion

As a senior cybersecurity analyst, I view CVE-2026-20805 as a textbook example of how a “medium-severity” disclosure can become “critical” once an exploit chain is demonstrated. The fact that Microsoft’s own threat-intel team discovered the bug suggests a proactive internal research capability, but the rapid appearance of an active exploit highlights the speed at which adversaries can weaponise even “information-only” flaws.

For the industry, this incident reinforces three strategic imperatives:

  • Speed of Patch Deployment - Organizations must treat Patch Tuesday updates as urgent, not optional, especially when a KEV alert follows.
  • Depth of Threat-Hunting - Without knowledge of the second-stage vulnerability, defenders are blind. Investing in memory-forensic tooling and continuous kernel-level telemetry is essential.
  • Zero-Trust Networking - Limiting lateral movement by enforcing strict access controls on RPC/SMB reduces the attack surface for ALPC-based exploits.

In short, the CVE-2026-20805 episode is a wake-up call: information-disclosure bugs are no longer “low-risk” footnotes; they are launch pads for sophisticated attacks. Prompt patching, vigilant monitoring, and a defense-in-depth posture are the only reliable mitigations.