Cyber Posture

CVE-2026-20854

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20854 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection
addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1003.001 LSASS Memory Credential Access
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
attack.mitre.org →
Why these techniques?

Use-after-free in LSASS directly enables remote arbitrary code execution in a privileged authentication service (T1068/T1210), facilitating credential dumping from LSASS memory (T1003.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.

Deeper analysisAI

CVE-2026-20854 is a use-after-free vulnerability (CWE-416) in the Windows Local Security Authority Subsystem Service (LSASS). Published on 2026-01-13, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary code within the context of LSASS, potentially leading to full system compromise given the service's privileged role in Windows authentication and security policy enforcement.

For mitigation guidance, security practitioners should consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854, which details available patches and recommended actions.

Details

CWE(s)
CWE-416

Affected Products

microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2025
≤ 10.0.26100.32230

CVEs Like This One

CVE-2026-20859Same product: Microsoft Windows 11 24H2
CVE-2026-20870Same product: Microsoft Windows 11 24H2
CVE-2026-25167Same product: Microsoft Windows 11 24H2
CVE-2026-33101Same product: Microsoft Windows 11 24H2
CVE-2025-21315Same product: Microsoft Windows 11 24H2
CVE-2026-21245Same product: Microsoft Windows 11 24H2
CVE-2025-60710Same product: Microsoft Windows 11 24H2
CVE-2026-20941Same product: Microsoft Windows 11 24H2
CVE-2025-21372Same product: Microsoft Windows 11 24H2
CVE-2025-21379Same product: Microsoft Windows 11 24H2

References