CVE-2026-20804
Published: 13 January 2026
Summary
CVE-2026-20804 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-6 Least Privilege directly mitigates incorrect privilege assignment in Windows Hello by ensuring components operate with only necessary privileges, preventing unauthorized local tampering.
AC-3 Access Enforcement requires systems to enforce approved access authorizations, blocking the high confidentiality and integrity impacts from local unauthorized tampering via Windows Hello.
AC-2 Account Management enables review and restriction of privileges assigned to accounts and processes like Windows Hello, reducing risk of incorrect privilege exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect privilege assignment in Windows Hello auth directly enables local exploitation for privilege escalation to achieve C/I impacts.
NVD Description
Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally.
Deeper analysisAI
CVE-2026-20804 is an incorrect privilege assignment vulnerability (CWE-266) in the Windows Hello authentication component of Microsoft Windows. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts without requiring privileges or user interaction.
The vulnerability enables a local unauthorized attacker to perform tampering on the system. Exploitation requires only local access with low attack complexity, allowing the attacker to achieve high-level access to confidential data (C:H) and modification of system integrity (I:H), though it does not affect availability (A:N).
Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20804. Security practitioners should consult this resource for patch information and recommended actions.
Details
- CWE(s)