Cyber Posture

CVE-2026-20941

High

Published: 13 January 2026

Published
13 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20941 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the improper link resolution vulnerability in the Host Process for Windows Tasks through timely application of vendor patches.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on users and processes to limit the ability of low-privileged local attackers to create exploitable symbolic links or the impact of successful escalation.

CM-6 Configuration Settings partial match
prevent

Establishes secure configuration settings for the Windows operating system to harden against symlink following vulnerabilities in task host processes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via improper symlink resolution (CWE-59) in a Windows system process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-20941 is an improper link resolution before file access vulnerability, commonly referred to as "link following," affecting the Host Process for Windows Tasks in Microsoft Windows operating systems. This issue, mapped to CWE-59, enables an authorized attacker to elevate privileges locally and was published on 2026-01-13T18:16:21.530 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by a local attacker who already has low-level privileges on the system (PR:L). Exploitation requires low attack complexity (AC:L) and no user interaction (UI:N), allowing the attacker to follow symbolic links improperly before file access in the Host Process for Windows Tasks, resulting in local privilege escalation.

Mitigation details are available in the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20941.

Details

CWE(s)
CWE-59

Affected Products

microsoft
windows 11 24h2
≤ 10.0.26100.7623 · ≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623 · ≤ 10.0.26200.7623
microsoft
windows server 2025
≤ 10.0.26100.32230

CVEs Like This One

CVE-2025-60710Same product: Microsoft Windows 11 24H2
CVE-2026-20859Same product: Microsoft Windows 11 24H2
CVE-2026-20870Same product: Microsoft Windows 11 24H2
CVE-2026-21245Same product: Microsoft Windows 11 24H2
CVE-2026-25167Same product: Microsoft Windows 11 24H2
CVE-2026-32222Same product: Microsoft Windows 11 24H2
CVE-2026-32221Same product: Microsoft Windows 11 24H2
CVE-2026-21250Same product: Microsoft Windows 11 24H2
CVE-2026-25187Same product: Microsoft Windows 11 24H2
CVE-2026-20854Same product: Microsoft Windows 11 24H2

References