**

U.S. CISA Adds Flaw in Microsoft Windows to its Known Exploited Vulnerabilities Catalog

**

**

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Microsoft Windows to its Known Exploited Vulnerabilities catalog, highlighting the need for immediate attention from federal agencies and private organizations.

**

**

The newly added vulnerability, tracked as CVE-2026-20805 with a CVSS score of 8.7, is a flaw in the Windows Desktop Window Manager that allows attackers to leak small pieces of memory information, potentially bypassing security protections and paving the way for more severe exploits.

**

**

The CISA has been working tirelessly to identify and mitigate vulnerabilities that are actively exploited by threat actors. This latest addition to its Known Exploited Vulnerabilities catalog serves as a stark reminder of the importance of prioritizing cybersecurity and addressing these weaknesses in a timely manner.

**

**

This week, Microsoft released its January 2026 Patch Tuesday security updates, which included fixes for 112 CVEs affecting various Windows products, including Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. Additionally, third-party Chromium patches brought the total number of vulnerabilities to 114.

**

**

CVE-2026-20805 is a particularly concerning vulnerability, as it allows attackers to disclose sensitive information locally, which can be used to bypass security protections and make more severe exploits work. The CISA has issued an advisory highlighting the potential risks associated with this vulnerability: "Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally."

**

**

While Microsoft has not shared details about the attacks exploiting this vulnerability, experts are warning that private organizations and federal agencies must take immediate action to address this weakness. The CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities emphasizes the importance of addressing these vulnerabilities by the due date to protect networks against attacks exploiting flaws in the catalog.

**

**

The CISA has ordered federal agencies to fix the vulnerabilities by February 3, 2026. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure to prevent potential breaches. As a trusted cybersecurity resource, we urge our readers to take this threat seriously and prioritize addressing these weaknesses before it's too late.

**

**

We will continue to monitor developments related to this vulnerability and provide updates as more information becomes available. In the meantime, please follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest cybersecurity news and insights.

**

**

Related Stories

**

* [Link to related story: "CISA Adds New Vulnerabilities to Known Exploited Vulnerabilities Catalog"] * [Link to related story: "Microsoft Releases January 2026 Patch Tuesday Security Updates"]

**

**

**Follow us on social media:**

Twitter: [@securityaffairs](https://twitter.com/securityaffairs) Facebook: [Security Affairs](https://www.facebook.com/SecurityAffairs/) Mastodon: [@SecurityAffairs](https://mastodon.social/@securityaffairs)