CVE-2026-20809
Published: 13 January 2026
Summary
CVE-2026-20809 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through vendor patches directly eliminates the TOCTOU race condition in Windows Kernel Memory.
Enforces memory protections that restrict unauthorized access and modifications to kernel memory exploited by the race condition.
Implements a tamper-resistant reference monitor to mediate kernel memory accesses, blocking privilege escalation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local kernel-mode privilege escalation via TOCTOU race condition and heap buffer overflow in Windows memory management.
NVD Description
Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally.
Deeper analysisAI
CVE-2026-20809 is a time-of-check time-of-use (TOCTOU) race condition in Windows Kernel Memory management. Published on 2026-01-13, it affects Windows operating systems and enables an authorized attacker to elevate privileges locally. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 122 (Heap-based Buffer Overflow) and 367 (Time-of-check Time-of-use Race Condition).
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of required user interaction (UI:N). Successful exploitation allows arbitrary code execution in kernel mode, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) through local privilege escalation.
Microsoft's update guide provides details on patches and mitigation for CVE-2026-20809 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20809.
Details
- CWE(s)