Microsoft and Uncle Sam have warned that a Windows bug disclosed today is already under attack.
The flaw, tracked as CVE-2026-20805 and discovered by Microsoft’s own threat intel team, allows an authorized attacker to leak a memory address from a remote ALPC port.
“Presumably, threat actors would then use the address in the next stage of their exploit chain – probably gaining arbitrary code execution,” according to Trend Micro’s Zero Day Initiative Head of Threat Awareness Dustin Childs’ analysis.
It’s a medium-severity flaw, earning a 5.5 CVSS rating.
Shortly after Redmond pushed a patch, the US Cybersecurity and Infrastructure Security Agency added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, a step that means federal agencies must implement the fix by February 3. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the feds warned.
While we don’t know who is abusing this hole, nor how widespread the exploitation is. Microsoft declined to answer our questions on the matter, so we’d suggest putting this patch at the top of the list.
“Vulnerabilities of this nature are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits,” Kev Breen, senior director of cyber threat research at Immersive, told The Register.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” he added, while also dinging Redmond for not disclosing which other components may be involved in such an exploit chain.
That omission, Breen said, “significantly” limits network defenders’ “ability to proactively threat-hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”
Two publicly known bugs
CVE-2026-20805 looks to be Microsoft’s first zero-day bug of 2026, appearing on the first Patch Tuesday of the new year – and the patch dump is a whopper, with 112 Microsoft CVEs disclosed.
Of these, Microsoft lists two others as publicly known at the time of the release.
One of these, CVE-2026-21265, is a secure boot certificate expiration security feature bypass vulnerability, with a 6.4 CVSS rating. It’s listed as publicly known because Microsoft published this certificate expiration notice back in June 2025.
Some of the original certificates issued in 2011 are expiring soon, and operators of devices that use the soon-to-expire certificates need to update them – or lose the operating system’s Secure Boot protections and security updates. As Childs noted, “while unlikely to be exploited, this bug could cause quite a bit of headaches for administrators.”
The other publicly known vulnerability, CVE-2023-31096, is a 7.8-rated elevation of privilege flaw in third-party Agere Modem drivers that ship with supported Windows versions. It’s a non-Microsoft CVE that has to do with a flaw first documented in 2023 (CVE-2023-31096) and issued by MITRE.
During October’s patch-a-thon, Microsoft warned that this Agere Modem driver security hole had been made public, but not yet exploited, and said it would be removed in a future update. The future is now, and the drivers have been removed as of the January update.
A couple of other interesting bugs that Childs points out are these two, CVE-2026-20952 (CVSS 7.7) and CVE-2026-20953 (CVSS 7.4), both use-after-free Office flaws that can allow an unauthorized attacker to execute code locally.
“Another month with Preview Pane exploit vectors in an Office bug,” Childs wrote. “While we are still unaware of any exploitation of these bugs, they keep adding up. It’s only a matter of time until threat actors find a way to use these types of bugs in their exploits.” ®