Cyber Resilience

CVE-2026-20929

High

Published: 13 January 2026

Published
13 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20929 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20929 is an improper access control vulnerability (CWE-284) in the Windows HTTP.sys kernel-mode driver, which handles HTTP requests in Windows operating systems. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity but significant impacts if exploited.

The vulnerability can be exploited by an authorized attacker with low privileges (PR:L) over a network (AV:N). Successful exploitation enables privilege escalation without user interaction (UI:N), leading to high confidentiality, integrity, and availability impacts (C:I:A:H) within the unchanged security scope (S:U).

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20929.

EU & UK References

Vulnerability details

Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

Threat-Actor AttributionAI

StellarParticle Campaign: Novel Tactics and Techniques | CrowdStrike
C0027 (C0027)
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
APT12 (G0005)
Read Featured Article "Whois Numbered Panda" by Adam Meyers
APT28 (G0007)
CrowdStrike’s work with the Democratic National Committee: Setting the record straight
APT29 (G0016)
SUNSPOT Malware: A Technical Analysis | CrowdStrike
VOODOO BEAR | Threat Actor Profile | CrowdStrike
FIN7 (G0046)
CARBON SPIDER Embraces Big Game Hunting, Part 1 | CrowdStrike
OilRig (G0049)
Helix Kitten | Threat Actor Profile | CrowdStrike
Leviathan (G0065)
Two Birds, One STONE PANDA
On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations
APT38 (G0082)
STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike
What is Ryuk Ransomware? The Complete Breakdown
The Evolution of PINCHY SPIDER from GandCrab to REvil | CrowdStrike
Fox Kitten (G0117)
PIONEER KITTEN: Targets & Methods [Adversary Profile]
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
Mustang Panda | Threat Actor Profile | CrowdStrike
CrowdStrike Tracks Reported Iranian Actor as FLYING KITTEN
Tonto Team (G0131)
The Manufacturing Threat Landscape in 2020 | CrowdStrike
AQUATIC PANDA in Possession of Log4Shell Exploit Tools | CrowdStrike
Ember Bear (G1003)
EMBER BEAR: Threat Actor Profile | CrowdStrike
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via exploitation of improper access control in kernel driver (HTTP.sys).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20843Same product: Microsoft Windows 10 1607
CVE-2025-21359Same product: Microsoft Windows 10 1607
CVE-2026-21238Same product: Microsoft Windows 10 1607
CVE-2025-59230Same product: Microsoft Windows 10 1607
CVE-2026-33834Same product: Microsoft Windows 10 1607
CVE-2026-25176Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607
CVE-2025-21293Same product: Microsoft Windows 10 1607
CVE-2026-24290Same product: Microsoft Windows 10 1809
CVE-2026-26183Same product: Microsoft Windows Server 2012

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
microsoft
windows server 2019
≤ 10.0.17763.8276
microsoft
windows server 2022
≤ 10.0.20348.4648
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the improper access control vulnerability in HTTP.sys by requiring enforcement of approved authorizations for all logical access to system resources.

prevent

Addresses the specific flaw in the Windows HTTP.sys kernel-mode driver by identifying, reporting, and applying remediation such as patches to prevent privilege escalation.

prevent

Mitigates privilege escalation impacts by ensuring low-privilege attackers and processes operate with the minimum privileges necessary, limiting potential damage from exploitation.

References