Tracked as CVE-2026-20805, the vulnerability allows low-privilege local attackers to expose sensitive user-mode memory, specifically section addresses, via remote ALPC ports. This could aid further privilege escalation chains in real-world attacks, prompting urgent patch deployment across legacy Windows systems.
The flaw earned an “Important” severity rating with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). While not remotely exploitable, its low complexity and lack of user interaction make it a prime target for malware or post-compromise operations.
Microsoft Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) confirmed exploitation but noted no public proof-of-concept exists yet.
Attackers exploit DWM, a core compositing engine handling window rendering, to leak memory addresses. This disclosure could reveal kernel pointers or process data, facilitating bypasses of mitigations like ASLR. Microsoft credits internal teams for discovery via coordinated disclosure.
The vulnerability impacts older Windows versions still in extended support. Administrators must prioritize updates, as Microsoft deems them “Required.”
| Platform | KB Article | Build Number | Download Link |
|---|---|---|---|
| Windows 10 v1809 (x64/32-bit) | KB5073723 | 10.0.17763.8276 | Catalog |
| Windows Server 2012 R2 (Core/Full) | KB5073696 | 6.3.9600.22968 | Catalog |
| Windows Server 2012 (Core/Full) | KB5073698 | 6.2.9200.25868 | Catalog |
| Windows Server 2016 (Core/Full) | KB5073722 | 10.0.14393.8783 | Catalog |
Check the MSRC Update for full lifecycle details. In the interim, restrict local low-privilege accounts and monitor DWM processes via EDR tools.
This patch wave underscores ongoing risks in legacy DWM components amid rising local privilege escalation tactics. Organizations on unsupported builds face heightened exposure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Desktop Window Manager 0-Day Vulnerability Exploited in the wild appeared first on Cyber Security News.
In case you missed it and have been living under a rock, Shrek is back.…
Hackers are using telecom networks and hosting providers across the Middle East as a foundation…
A large-scale phishing campaign targeting the 2026 FIFA World Cup has grown far beyond what…
Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range…
A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS…
A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems,…
This website uses cookies.