CVE-2026-20870

High

Published: 13 January 2026

Published

13 January 2026

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20870 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely patching of the use-after-free flaw in Windows Win32K ICOMP to prevent local privilege escalation.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as DEP, ASLR, and stack canaries to protect against exploitation of use-after-free vulnerabilities in kernel components.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for local accounts, limiting the attack surface and potential damage from low-privilege escalation attempts via the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Use-after-free in Win32K kernel component directly enables local privilege escalation from low-privileged context (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-20870 is a use-after-free vulnerability (CWE-416) in the Windows Win32K ICOMP component. It affects Windows systems and was published on 2026-01-13T18:16:16.650 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability allows an authorized local attacker with low privileges to elevate privileges. Exploitation requires local access and low complexity with no user interaction, enabling high impacts on confidentiality, integrity, and availability.

Microsoft's Security Response Center has published an update guide for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20870, which provides details on associated patches and mitigation recommendations.

Details

CWE(s): CWE-416

Affected Products

microsoft

windows 11 24h2

≤ 10.0.26100.7623

microsoft

windows 11 25h2

≤ 10.0.26200.7623

microsoft

windows server 2025

≤ 10.0.26100.32230

CVEs Like This One

CVE-2026-20859Same product: Microsoft Windows 11 24H2

CVE-2026-25167Same product: Microsoft Windows 11 24H2

CVE-2026-20854Same product: Microsoft Windows 11 24H2

CVE-2026-33101Same product: Microsoft Windows 11 24H2

CVE-2025-21315Same product: Microsoft Windows 11 24H2

CVE-2026-21245Same product: Microsoft Windows 11 24H2

CVE-2025-60710Same product: Microsoft Windows 11 24H2

CVE-2026-20941Same product: Microsoft Windows 11 24H2

CVE-2025-21372Same product: Microsoft Windows 11 24H2

CVE-2026-20871Same product: Microsoft Windows 11 24H2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20870
Vendor Advisory · secure@microsoft.com