Cyber Resilience

CVE-2026-20871

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20871 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20871 is a use-after-free vulnerability (CWE-416) in the Desktop Windows Manager (DWM), a core component of Microsoft Windows responsible for compositing windows and handling graphical effects. Published on January 13, 2026, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential from local exploitation.

An authorized local attacker with low privileges can exploit this vulnerability to achieve privilege escalation. By triggering the use-after-free condition in DWM, the attacker can execute arbitrary code with elevated privileges, potentially gaining SYSTEM-level access on the affected system without requiring user interaction.

The Microsoft Security Response Center (MSRC) has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20871, which provides details on available patches and mitigation recommendations for addressing this local privilege escalation vulnerability.

EU & UK References

Vulnerability details

Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of use-after-free in core Windows component (DWM) to achieve SYSTEM-level arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32155Same product: Microsoft Windows 10 21H2
CVE-2026-26132Same product: Microsoft Windows 10 21H2
CVE-2026-20923Same product: Microsoft Windows 10 21H2
CVE-2025-62221Same product: Microsoft Windows 10 21H2
CVE-2026-20865Same product: Microsoft Windows 10 21H2
CVE-2026-24292Same product: Microsoft Windows 10 21H2
CVE-2026-33835Same product: Microsoft Windows 10 21H2
CVE-2026-32078Same product: Microsoft Windows 10 21H2
CVE-2025-21334Same product: Microsoft Windows 10 21H2
CVE-2026-32154Same product: Microsoft Windows 11 23H2

Affected Assets

microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2022
≤ 10.0.20348.4648
microsoft
windows server 2022 23h2
≤ 10.0.25398.2092
microsoft
windows server 2025
≤ 10.0.26100.32230

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free flaw in DWM through timely patching as guided by MSRC updates.

prevent

Implements memory protection mechanisms such as ASLR, DEP, and guard pages to prevent exploitation of the use-after-free vulnerability in DWM.

prevent

Enforces least privilege on processes and accounts to limit the scope and success of local privilege escalation from low-privileged attackers.

References