Cyber Resilience

CVE-2026-20875

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20875 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20875 is a null pointer dereference vulnerability (CWE-476) in the Windows Local Security Authority Subsystem Service (LSASS). Published on 2026-01-13, it affects Windows systems running LSASS, a critical component handling authentication and security policies.

The vulnerability enables an unauthorized attacker to exploit it over a network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and no change in scope (S:U). Successful exploitation results in high-impact denial of service (A:H) with no impact on confidentiality or integrity (C:N/I:N), as reflected in its CVSS v3.1 base score of 7.5.

Microsoft's Security Response Center provides an update guide for CVE-2026-20875 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20875, detailing recommended mitigations and patches.

EU & UK References

Vulnerability details

Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in LSASS directly enables remote DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21525Same product: Microsoft Windows 10 1607
CVE-2026-40401Same product: Microsoft Windows 10 1607
CVE-2026-40413Same product: Microsoft Windows 10 1607
CVE-2026-40414Same product: Microsoft Windows 10 1607
CVE-2025-21285Same product: Microsoft Windows 10 1607
CVE-2026-32071Same product: Microsoft Windows 10 1607
CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2026-25165Same product: Microsoft Windows 10 1607
CVE-2026-35424Same product: Microsoft Windows 10 1607
CVE-2025-21389Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the null pointer dereference vulnerability in LSASS by requiring timely application of vendor patches as detailed in Microsoft's update guide.

prevent

Implements denial-of-service protections at system entry points to counter the high-impact network-based DoS exploitation of LSASS.

prevent

Monitors and controls network communications at boundaries to limit unauthorized remote access required to trigger the LSASS null pointer dereference.

References