TL;DR
Microsoft released a Patch Tuesday update fixing an info-disclosure zero-day (CVE-2026-20805) that can leak memory addresses via a remote ALPC port. The US CISA has listed the flaw in its Known Exploited Vulnerabilities catalog, forcing federal agencies to apply the fix by February 3.
What happened
On the first Patch Tuesday of 2026 Microsoft published a fix for an information-disclosure vulnerability tracked as CVE-2026-20805, which its threat intelligence team discovered. The flaw permits an authorized attacker to obtain a memory address from a remote ALPC port, a step that security researchers say can be used to defeat memory protections and enable further exploitation. The vulnerability carries a CVSS score of 5.5. Shortly after Microsoft issued the patch, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog, creating a federal deadline to install the update. Microsoft declined to provide additional details when asked, and researchers warned that limited disclosure about related components constrains defenders — leaving rapid patching as the primary mitigation. The January update also included a broad set of fixes across Microsoft products, with the company publishing 112 CVEs this month.
Why it matters
- The flaw is being treated as active by US authorities, prompting mandatory patching for federal agencies.
- Information-disclosure bugs like this can reveal memory layout, making higher-impact exploits more practical.
- Limited disclosure of exploit chain details reduces defenders' ability to hunt and mitigate related activity.
- The patch is part of a large January update, so administrators must prioritize this fix amid many other updates.
Key facts
- Vulnerability: CVE-2026-20805, an information-disclosure bug affecting ALPC port handling.
- Severity: assigned a CVSS base score of 5.5 (medium).
- Discovery: found by Microsoft's internal threat intelligence team.
- CISA action: CVE-2026-20805 was added to the Known Exploited Vulnerabilities catalog; federal agencies must remediate by February 3.
- Patch Tuesday volume: Microsoft disclosed 112 CVEs in the January update.
- Two other publicly known issues in this release: CVE-2026-21265 (secure boot certificate expiration bypass, CVSS 6.4) and CVE-2023-31096 (Agere Modem driver elevation of privilege, CVSS 7.8).
- Microsoft removed the affected Agere Modem drivers as part of the January update.
- Additional Office use-after-free bugs were noted in the release (CVE-2026-20952 and CVE-2026-20953) that could allow local code execution if exploited.
What to watch next
- Whether Microsoft or other vendors provide further attribution or technical details about active exploitation — not confirmed in the source.
- How widely the CVE-2026-20805 exploit is being used in the wild and which threat actors may be involved — not confirmed in the source.
- If additional components or exploit-chain primitives related to this info-disclosure are disclosed by Microsoft or researchers — not confirmed in the source.
- Compliance with the CISA remediation deadline: federal agencies must implement the fix by February 3 (confirmed in the source).
Quick glossary
- ALPC (Advanced Local Procedure Call): A Windows interprocess communication mechanism used for message passing between applications and system components.
- Information-disclosure vulnerability: A bug that allows attackers to obtain sensitive information from memory or system components that should be protected.
- ASLR (Address Space Layout Randomization): A security technique that randomizes memory address locations to make exploitation of memory-safety bugs more difficult.
- CVSS (Common Vulnerability Scoring System): A standardized scale for rating the severity of software vulnerabilities, typically 0.0 to 10.0.
- CISA Known Exploited Vulnerabilities (KEV) catalog: A US government list of vulnerabilities observed being exploited in the wild; inclusion often triggers mandatory remediation timelines for federal agencies.
Reader FAQ
Is this Windows vulnerability being actively exploited?
The source reports that Microsoft and US authorities warned the bug is already under attack, but details about who is exploiting it or how widespread the activity is were not provided.
Should organizations install the January Patch Tuesday update immediately?
The reporting advises prioritizing this patch, and CISA's listing imposes a federal remediation deadline; rapid patching is recommended.
Did Microsoft disclose which components are involved in potential exploit chains?
Microsoft declined to answer questions on those details, and the source notes that omission limits defenders' ability to hunt for related activity.
Were there other notable fixes in this Patch Tuesday?
Yes. The release included 112 Microsoft CVEs overall and highlighted two publicly known issues: a secure boot certificate expiration bypass (CVE-2026-21265) and an Agere Modem driver elevation flaw (CVE-2023-31096), the latter of which had the drivers removed in this update.
SECURITY Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm First Patch Tuesday of 2026 goes big Jessica Lyons Wed 14 Jan 2026 // 00:36 UTC Microsoft and Uncle Sam have warned…
Sources
- Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm
- CISA Adds CVE-2026-20805 to KEV: Urgent Windows Disclosure Patch
- CISA adds recently-announced Microsoft zero-day to exploited …
- Windows info-disclosure 0-day bug gets a fix and CISA alert
Related posts
- When hardware hits EOL, companies should release the software
- Why the Yarn Spinner Team Refuses to Use AI in Product and Development
- ListenBrainz restricts APIs after AI scrapers overload MusicBrainz services