Cyber Resilience

CVE-2026-20941

High

Published: 13 January 2026

Published
13 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20941 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-20941 is an improper link resolution before file access vulnerability, commonly referred to as "link following," affecting the Host Process for Windows Tasks in Microsoft Windows operating systems. This issue, mapped to CWE-59, enables an authorized attacker to elevate privileges locally and was published on 2026-01-13T18:16:21.530 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by a local attacker who already has low-level privileges on the system (PR:L). Exploitation requires low attack complexity (AC:L) and no user interaction (UI:N), allowing the attacker to follow symbolic links improperly before file access in the Host Process for Windows Tasks, resulting in local privilege escalation.

Mitigation details are available in the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20941.

EU & UK References

Vulnerability details

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via improper symlink resolution (CWE-59) in a Windows system process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-60710Same product: Microsoft Windows 11 24H2
CVE-2026-21245Same product: Microsoft Windows 11 24H2
CVE-2026-20870Same product: Microsoft Windows 11 24H2
CVE-2026-20859Same product: Microsoft Windows 11 24H2
CVE-2026-25167Same product: Microsoft Windows 11 24H2
CVE-2026-33840Same product: Microsoft Windows 11 24H2
CVE-2026-32222Same product: Microsoft Windows 11 24H2
CVE-2026-42896Same product: Microsoft Windows 11 24H2
CVE-2026-21250Same product: Microsoft Windows 11 24H2
CVE-2026-40369Same product: Microsoft Windows 11 24H2

Affected Assets

microsoft
windows 11 24h2
≤ 10.0.26100.7623 · ≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623 · ≤ 10.0.26200.7623
microsoft
windows server 2025
≤ 10.0.26100.32230

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper link resolution vulnerability in the Host Process for Windows Tasks through timely application of vendor patches.

prevent

Enforces least privilege on users and processes to limit the ability of low-privileged local attackers to create exploitable symbolic links or the impact of successful escalation.

prevent

Establishes secure configuration settings for the Windows operating system to harden against symlink following vulnerabilities in task host processes.

References