Microsoft DWM 0-Day Vulnerability Act Desktop Window
A critical zero-day information disclosure flaw in Microsoft’s Desktop Window Manager (DWM) was patched on January 13, 2026, as part of its Patch Tuesday update, following the detection of...
A critical zero-day information disclosure flaw in Microsoft’s Desktop Window Manager (DWM) was patched on January 13, 2026, as part of its Patch Tuesday update, following the detection of active exploitation in the wild.
Tracked as CVE-2026-20805, the vulnerability allows low-privilege local attackers to expose sensitive user-mode memory, specifically section addresses, via remote ALPC ports. This could aid further privilege escalation chains in real-world attacks, prompting urgent patch deployment across legacy Windows systems.
The flaw earned an “Important” severity rating with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). While not remotely exploitable, its low complexity and lack of user interaction make it a prime target for malware or post-compromise operations.
Microsoft Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) confirmed exploitation but noted no public proof-of-concept exists yet.
Attackers exploit DWM, a core compositing engine handling window rendering, to leak memory addresses. This disclosure could reveal kernel pointers or process data, facilitating bypasses of mitigations like ASLR. Microsoft credits internal teams for discovery via coordinated disclosure.
Affected Platforms and Patches
The vulnerability impacts older Windows versions still in extended support. Administrators must prioritize updates, as Microsoft deems them “Required.”
| Platform | KB Article | Build Number | Download Link |
|---|---|---|---|
| Windows 10 v1809 (x64/32-bit) | KB5073723 | 10.0.17763.8276 | Catalog |
| Windows Server 2012 R2 (Core/Full) | KB5073696 | 6.3.9600.22968 | Catalog |
| Windows Server 2012 (Core/Full) | KB5073698 | 6.2.9200.25868 | Catalog |
| Windows Server 2016 (Core/Full) | KB5073722 | 10.0.14393.8783 | Catalog |
Check the MSRC Update for full lifecycle details. In the interim, restrict local low-privilege accounts and monitor DWM processes via EDR tools.
This patch wave underscores ongoing risks in legacy DWM components amid rising local privilege escalation tactics. Organizations on unsupported builds face heightened exposure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.