CVE-2026-20854
PUBLISHED
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2026-20805: Desktop Window Manager (Actively exploited)
Information Disclosure Vulnerability.
This CVE is impacting Desktop Window Manager. Successful exploitation of this vulnerability could allow an authenticated attacker to disclose sensitive data locally. According to Microsoft, this vulnerability is actively exploited in attacks in the wild as a zero-day.
CISA has acknowledged active exploitation of this vulnerability by adding it to its catalogue of known exploited vulnerabilities. CISA urges users to address this vulnerability before February 3, 2026.
CVE-2026-21265: Windows Secure Boot
Security Feature Bypass Vulnerability.
It is a secure boot certificate expiration security feature bypass vulnerability, with a CVSSv3 score of 6.4 and rated as important. It is assessed as “Exploitation Less Likely.”
Successful exploitation requires high attack complexity and could allow an attacker to bypass Secure Boot protections.
Microsoft warns that Windows Secure Boot certificates issued in 2011 are coming to expiration and that systems that are not updated are at a higher risk of Secure Boot being bypassed by malicious actors.
CVE-2026-20952 and CVE-2026-20953: Microsoft Office
Remote Code Execution Vulnerability.
CVE-2026-20952 and CVE-2026-20953 are critical remote code execution vulnerabilities affecting Microsoft Office, both with a CVSS score of 8.4.
These vulnerabilities could allow an unauthenticated attacker to execute arbitrary code by exploiting use-after-free conditions in Microsoft Office components. A attacker could exploit these vulnerabilities through a social engineering attack by sending specially crafted malicious emails or links to the target users.
CVE-2026-20840 and CVE-2026-20922: Windows New Technology File System
Remote Code Execution Vulnerability.
These CVEs are remote code execution vulnerabilities affecting Windows NTFS. Both have a CVSSv3 scores of 7.8 and are rated as important. Microsoft has assessed both vulnerabilities as likely to be exploited.
According to Microsoft, both vulnerabilities result from heap-based buffer overflows that could allow an authenticated attacker to achieve remote code execution on an affected system.
CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS)
Remote Code Execution Vulnerability.
CVE-2026-20854 is a critical remote code execution vulnerability in Windows LSASS, with a CVSSv3 score of 7.5.
The vulnerability arises from a use-after-free condition that can be triggered over the network by an authenticated attacker. Given that LSASS service is responsible for authentication and security policy enforcement, successful exploitation could allow an attacker to execute code with severe consequences, including complete system compromise.
CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave
Elevation of Privilege Vulnerability (EoP).
CVE-2026-20876 is a critical EoP vulnerability in Windows VBS Enclave. This CVE is assigned with a CVSS score of 6.7 and rated as critical.
This vulnerability is caused by a heap-based buffer overflow that could allow an authenticated attacker with elevated privileges to elevate their access locally. Successful exploitation could grant Virtual Trust Level 2 (VTL2) privileges, compromising fundamental Windows security protections designed to isolate and defend sensitive system operations.
CVE-2026-20963: Microsoft Office SharePoint (Actively exploited)
Deserialization of untrusted data.
CVE-2026-20963 is a vulnerability affecting Microsoft SharePoint. Successful exploitation of this vulnerability allows authenticated attackers with Site Owner privileges to remotely execute arbitrary code over the network with no user interaction required. Attackers can access sensitive data, manipulate SharePoint content, and gain full control of the SharePoint environment. The low privilege requirement (Site Owner level) significantly expands the attack surface, as these permissions are commonly granted to multiple users.
Recent intelligence indicates that this vulnerability is actively being exploited in attacks, particularly by ransomware groups.
CISA has acknowledged active exploitation of this vulnerability by adding it to its catalogue of known exploited vulnerabilities. CISA u emphasizes the urgency of applying patches for this flaw.
EPSS 0.07% · 21.2th percentile
