Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm

Steven

Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm

Summary

Microsoft patched an information-disclosure zero-day (CVE-2026-20805) discovered by its own threat-intel team. The flaw allows an authorised attacker to leak a memory address from a remote ALPC port — information that can be used to defeat Address Space Layout Randomisation (ASLR) and be chained into arbitrary code execution. Microsoft scored the bug 5.5 CVSS and, after releasing the update, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalogue, requiring federal agencies to apply the fix by 3 February 2026.

The January Patch Tuesday bundle covers 112 Microsoft CVEs. Two other publicly known issues addressed in the release are CVE-2026-21265 (a secure‑boot certificate-expiration security feature bypass, CVSS 6.4) and CVE-2023-31096 (a 7.8-rated elevation-of-privilege in third-party Agere modem drivers, which Microsoft removed in this update). Microsoft also fixed Office use-after-free bugs (CVE-2026-20952 and CVE-2026-20953) that could permit local code execution.

Key Points

  • CVE-2026-20805 is an ALPC information-disclosure zero-day that leaks memory addresses and undermines ASLR, enabling follow-on exploits.
  • January Patch Tuesday disclosed 112 Microsoft CVEs and includes what’s likely the first zero-day of 2026.
  • CISA added CVE-2026-20805 to its Known Exploited Vulnerabilities list, mandating federal remediation by 2026-02-03.
  • Publicly known issues fixed include a secure-boot certificate-expiry bypass (CVE-2026-21265) and removal of vulnerable Agere modem drivers (CVE-2023-31096).
  • High-severity Office use-after-free bugs (CVE-2026-20952, CVE-2026-20953) were addressed — such bugs remain attractive to attackers and may be chained to execute code.

Why should I read this

Short version: patch now. CISA has sounded the alarm, the bug is being exploited, and it makes later stages of attacks much easier. We skimmed the full dump and highlighted the bits you absolutely need to know — save yourself time and get the update pushed.

Context and Relevance

Information-disclosure flaws like this are high-value for attackers because they reveal memory layout and defeat ASLR, turning tricky, unreliable attacks into practical ones. The CISA designation raises urgency for public-sector organisations and large estates; for everyone else, it’s a clear signal to prioritise patching and hunt for related indicators. Also check secure-boot certificate updates and the removal of legacy third-party drivers as part of remediation.

Source

Source: https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/