Critical Windows 0-Day Fixed: CISA Issues Urgent Alert
▼ Summary
– Microsoft and US authorities warn that a Windows vulnerability (CVE-2026-20805) is already being actively exploited.
– The flaw, which undermines a core security control (ASLR), allows attackers to leak memory addresses and could be chained with other bugs for code execution.
– The US Cybersecurity agency has mandated federal agencies to patch this vulnerability by February 3 due to its significant risk.
– This bug is part of a large January patch release containing 112 fixes, including two other publicly known vulnerabilities.
– Among the other patched flaws are critical Office vulnerabilities that, while not yet exploited, are concerning preview pane exploit vectors.
A critical security vulnerability in the Windows operating system is already being actively exploited, prompting an urgent alert from U.S. cybersecurity authorities. Microsoft has released a patch for this zero-day flaw, identified as CVE-2026-20805, which was discovered by the company’s internal threat intelligence team. The issue allows an authenticated attacker to obtain a memory address from a remote ALPC port, a technique often used to weaken fundamental system defenses.
The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal civilian agencies apply this critical update by February 3, classifying it as a Known Exploited Vulnerability. This designation underscores the serious risk, noting that such flaws are common vectors for malicious activity. While the scale of current attacks remains unclear, the immediate availability of exploits makes prompt patching essential for all organizations.
Security experts explain that this particular vulnerability undermines Address Space Layout Randomization (ASLR), a core security mechanism designed to prevent memory corruption attacks. By leaking a memory address, attackers can more reliably chain this flaw with another code execution bug. “This transforms a complex and unreliable exploit into a practical and repeatable attack,” noted Kev Breen, senior director of cyber threat research at Immersive. He also criticized Microsoft for not disclosing which other software components might be involved in a full attack chain, which limits defenders’ ability to hunt for related threats proactively.
This zero-day headline a substantial January Patch Tuesday release from Microsoft, which addressed 112 unique vulnerabilities. Among these, two other bugs were listed as publicly known prior to the update. One, tracked as CVE-2026-21265, is a Secure Boot certificate expiration issue with a CVSS score of 6.4. The certificates, originally issued in 2011, are soon expiring. Devices relying on them must be updated to maintain Secure Boot protections and continue receiving security updates. While direct exploitation is considered unlikely, administrators face significant operational headaches if these updates are neglected.
The other publicly known flaw is CVE-2023-31096, a high-severity privilege escalation bug in third-party Agere Modem drivers included with supported Windows versions. This non-Microsoft vulnerability, first documented in 2023, has now been fully remediated by removing the affected drivers in the January update.
Analysts also highlighted several other notable fixes in this release. Two specific Office vulnerabilities, CVE-2026-20952 and CVE-2026-20953, are use-after-free flaws that could allow local code execution. “Another month with Preview Pane exploit vectors in an Office bug,” observed Dustin Childs of Trend Micro’s Zero Day Initiative. He warned that while these particular bugs are not yet under attack, the consistent appearance of such vulnerabilities means it is only a matter of time before threat actors incorporate them into active exploit campaigns. The collective weight of this month’s patches reinforces the need for diligent and rapid update cycles across all systems.
(Source: The Register)
