CVE-2026-20805 MEDIUM

CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability

Vendor Microsoft

Product Windows 10 Version 1607

Weakness CWE-200 · Info exposure

KEV Status Known Exploited

Published January 13, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

What the vulnerability does

01Description

Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

January 13, 2026 CVE published

April 1, 2026 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-20805 CISA KEV Reference https://msrc.microsoft.com/update-guide/en-US/vulnerability/CV… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2026-20805

Related vulnerabilities

Identifiers

CVE CVE-2026-20805

CWE CWE-200

CVSS 5.5 / MEDIUM

Affected versions

Vendor Microsoft

Product Windows 10 Version 1607

Affected ≥ 10.0.14393.0 and < 10.0.14393.8783

Vendor Microsoft

Product Windows 10 Version 1809

Affected ≥ 10.0.17763.0 and < 10.0.17763.8276

Vendor Microsoft

Product Windows 10 Version 21H2

Affected ≥ 10.0.19044.0 and < 10.0.19044.6809

Vendor Microsoft

Product Windows 10 Version 22H2

Affected ≥ 10.0.19045.0 and < 10.0.19045.6809

Vendor Microsoft

Product Windows 11 version 22H3

Affected ≥ 10.0.22631.0 and < 10.0.22631.6491

Vendor Microsoft

Product Windows 11 Version 23H2

Affected ≥ 10.0.22631.0 and < 10.0.22631.6491

Vendor Microsoft

Product Windows 11 Version 24H2

Affected ≥ 10.0.26100.0 and < 10.0.26100.7623

Vendor Microsoft

Product Windows 11 Version 25H2

Affected ≥ 10.0.26200.0 and < 10.0.26200.7623

Vendor Microsoft

Product Windows Server 2012

Affected ≥ 6.2.9200.0 and < 6.2.9200.25868

Vendor Microsoft

Product Windows Server 2012 (Server Core installation)

Affected ≥ 6.2.9200.0 and < 6.2.9200.25868

Vendor Microsoft

Product Windows Server 2012 R2

Affected ≥ 6.3.9600.0 and < 6.3.9600.22968

Vendor Microsoft

Product Windows Server 2012 R2 (Server Core installation)

Affected ≥ 6.3.9600.0 and < 6.3.9600.22968

Vendor Microsoft

Product Windows Server 2016

Affected ≥ 10.0.14393.0 and < 10.0.14393.8783

Vendor Microsoft

Product Windows Server 2016 (Server Core installation)

Affected ≥ 10.0.14393.0 and < 10.0.14393.8783

Vendor Microsoft

Product Windows Server 2019

Affected ≥ 10.0.17763.0 and < 10.0.17763.8276

Vendor Microsoft

Product Windows Server 2019 (Server Core installation)

Affected ≥ 10.0.17763.0 and < 10.0.17763.8276

Vendor Microsoft

Product Windows Server 2022

Affected ≥ 10.0.20348.0 and < 10.0.20348.4648

Vendor Microsoft

Product Windows Server 2022, 23H2 Edition (Server Core installation)

Affected ≥ 10.0.25398.0 and < 10.0.25398.2092

Vendor Microsoft

Product Windows Server 2025

Affected ≥ 10.0.26100.0 and < 10.0.26100.32230

Vendor Microsoft

Product Windows Server 2025 (Server Core installation)

Affected ≥ 10.0.26100.0 and < 10.0.26100.32230

CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE