CVE-2026-20854
Published: 13 January 2026
Summary
CVE-2026-20854 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-20854 is a use-after-free vulnerability (CWE-416) in the Windows Local Security Authority Subsystem Service (LSASS). Published on 2026-01-13, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary code within the context of LSASS, potentially leading to full system compromise given the service's privileged role in Windows authentication and security policy enforcement.
For mitigation guidance, security practitioners should consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854, which details available patches and recommended actions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2173
Vulnerability details
Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in LSASS directly enables remote arbitrary code execution in a privileged authentication service (T1068/T1210), facilitating credential dumping from LSASS memory (T1003.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates the use-after-free vulnerability in LSASS by applying vendor patches as recommended in the MSRC advisory.
Memory protection controls like ASLR and non-executable memory regions reduce the exploitability of the use-after-free bug in LSASS for arbitrary code execution.
Vulnerability monitoring and scanning identifies the specific use-after-free vulnerability in LSASS to enable proactive remediation.