Cyber Resilience

CVE-2026-20868

High

Published: 13 January 2026

Published
13 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0134 67.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20868 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20868 is a heap-based buffer overflow vulnerability, classified under CWE-122, affecting the Windows Routing and Remote Access Service (RRAS). Published on 2026-01-13T18:16:16.303, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and enables an unauthorized attacker to execute code over a network.

The vulnerability can be exploited by an unauthorized attacker with network access, requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation grants high-impact arbitrary code execution, compromising confidentiality, integrity, and availability.

Microsoft's Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20868 details patching instructions. Vicarius provides a detection script at https://www.vicarius.io/vsociety/posts/cve-2026-20868-detection-script-heap-based-buffer-overflow-vulnerability-affecting-windows-rras and a mitigation script at https://www.vicarius.io/vsociety/posts/cve-2026-20868-mitigation-script-heap-based-buffer-overflow-vulnerability-affecting-windows-rras.

EU & UK References

Vulnerability details

Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap-based buffer overflow in Windows RRAS enables remote code execution by unauthorized network attackers, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60724Same product: Microsoft Windows 10 1607
CVE-2025-21368Same product: Microsoft Windows 10 1607
CVE-2025-53766Same product: Microsoft Windows 10 1607
CVE-2025-21273Same product: Microsoft Windows 10 1607
CVE-2025-47981Same product: Microsoft Windows 10 1607
CVE-2025-21369Same product: Microsoft Windows 10 1607
CVE-2025-62549Same product: Microsoft Windows 10 1607
CVE-2026-20922Same product: Microsoft Windows 10 1607
CVE-2026-20820Same product: Microsoft Windows 10 1607
CVE-2026-20840Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap-based buffer overflow in RRAS by identifying, prioritizing, and applying vendor patches as specified in Microsoft's update guide.

prevent

Implements memory protection mechanisms like ASLR and DEP that hinder exploitation of heap buffer overflows for arbitrary code execution.

prevent

Requires validation of network inputs to RRAS to detect and reject malformed data that could trigger the buffer overflow.

References