Cyber Resilience

CVE-2026-20809

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20809 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-20809 is a time-of-check time-of-use (TOCTOU) race condition in Windows Kernel Memory management. Published on 2026-01-13, it affects Windows operating systems and enables an authorized attacker to elevate privileges locally. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 122 (Heap-based Buffer Overflow) and 367 (Time-of-check Time-of-use Race Condition).

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of required user interaction (UI:N). Successful exploitation allows arbitrary code execution in kernel mode, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) through local privilege escalation.

Microsoft's update guide provides details on patches and mitigation for CVE-2026-20809 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20809.

EU & UK References

Vulnerability details

Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local kernel-mode privilege escalation via TOCTOU race condition and heap buffer overflow in Windows memory management.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26180Same product: Microsoft Windows 10 1607
CVE-2026-20922Same product: Microsoft Windows 10 1607
CVE-2026-20831Same product: Microsoft Windows 10 1607
CVE-2026-20820Same product: Microsoft Windows 10 1607
CVE-2026-40398Same product: Microsoft Windows 10 1607
CVE-2026-20840Same product: Microsoft Windows 10 1607
CVE-2026-25188Same product: Microsoft Windows 10 1607
CVE-2026-33837Same product: Microsoft Windows 10 1607
CVE-2026-40407Same product: Microsoft Windows 10 1607
CVE-2026-40377Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2012
r2
microsoft
windows server 2016
≤ 10.0.14393.8783
microsoft
windows server 2019
≤ 10.0.17763.8276
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patches directly eliminates the TOCTOU race condition in Windows Kernel Memory.

prevent

Enforces memory protections that restrict unauthorized access and modifications to kernel memory exploited by the race condition.

prevent

Implements a tamper-resistant reference monitor to mediate kernel memory accesses, blocking privilege escalation attempts.

References