Cyber Resilience

CVE-2026-20849

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20849 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20849 is a vulnerability in Windows Kerberos stemming from reliance on untrusted inputs in a security decision, classified under CWE-807. It affects the Windows Kerberos authentication component, enabling an authorized attacker to potentially elevate privileges. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting network accessibility (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). It was published on January 13, 2026.

An attacker with low-level authorized access, such as a domain user, can exploit this flaw over the network by manipulating untrusted inputs during Kerberos security decisions. Successful exploitation allows privilege escalation, potentially granting higher-level access within the Windows environment without requiring local presence or user interaction.

Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20849, which details recommended mitigations and patches for addressing the vulnerability.

EU & UK References

Vulnerability details

Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1558 Steal or Forge Kerberos Tickets Credential Access
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.
Why these techniques?

Vulnerability in Kerberos auth decision logic (untrusted input) directly enables network-based privilege escalation from low-priv domain account (T1068); exploitation commonly involves forging or abusing Kerberos tickets (T1558).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20922Same product: Microsoft Windows 10 1607
CVE-2026-20831Same product: Microsoft Windows 10 1607
CVE-2026-20820Same product: Microsoft Windows 10 1607
CVE-2026-20860Same product: Microsoft Windows 10 1607
CVE-2026-20840Same product: Microsoft Windows 10 1607
CVE-2026-20921Same product: Microsoft Windows 10 1607
CVE-2026-20816Same product: Microsoft Windows 10 1607
CVE-2026-20931Same product: Microsoft Windows 10 1607
CVE-2026-20843Same product: Microsoft Windows 10 1607
CVE-2026-21231Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-20849 by requiring timely identification, reporting, and correction of the specific flaw in Windows Kerberos.

prevent

Addresses CWE-807 by mandating validation of untrusted inputs used in Kerberos security decisions, rejecting invalid ones to block privilege escalation.

prevent

Requires Kerberos access control decisions to be based solely on valid inputs and authorized policies, preventing exploitation via untrusted data.

References