Cyber Resilience

CVE-2026-20854

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20854 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-20854 is a use-after-free vulnerability (CWE-416) in the Windows Local Security Authority Subsystem Service (LSASS). Published on 2026-01-13, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary code within the context of LSASS, potentially leading to full system compromise given the service's privileged role in Windows authentication and security policy enforcement.

For mitigation guidance, security practitioners should consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854, which details available patches and recommended actions.

EU & UK References

Vulnerability details

Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1003.001 LSASS Memory Credential Access
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Why these techniques?

Use-after-free in LSASS directly enables remote arbitrary code execution in a privileged authentication service (T1068/T1210), facilitating credential dumping from LSASS memory (T1003.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20870Same product: Microsoft Windows 11 24H2
CVE-2026-20859Same product: Microsoft Windows 11 24H2
CVE-2026-25167Same product: Microsoft Windows 11 24H2
CVE-2026-33840Same product: Microsoft Windows 11 24H2
CVE-2026-33101Same product: Microsoft Windows 11 24H2
CVE-2025-21372Same product: Microsoft Windows 11 24H2
CVE-2025-21315Same product: Microsoft Windows 11 24H2
CVE-2026-21245Same product: Microsoft Windows 11 24H2
CVE-2025-60710Same product: Microsoft Windows 11 24H2
CVE-2026-20941Same product: Microsoft Windows 11 24H2

Affected Assets

microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2025
≤ 10.0.26100.32230

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the use-after-free vulnerability in LSASS by applying vendor patches as recommended in the MSRC advisory.

prevent

Memory protection controls like ASLR and non-executable memory regions reduce the exploitability of the use-after-free bug in LSASS for arbitrary code execution.

detect

Vulnerability monitoring and scanning identifies the specific use-after-free vulnerability in LSASS to enable proactive remediation.

References