⚠ Actively exploited
Added to CISA KEV on 2026-01-13. Federal agencies required to patch by 2026-02-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-20805Sensitive Information Exposure in Microsoft Windows 10 Version 1607

CWE-200Sensitive Information Exposure13 documents10 sources
Severity
5.5MEDIUMNVD
EPSS
3.7%
top 11.98%
CISA KEV
KEV
Added 2026-01-13
Due 2026-02-03
Exploit
No known exploits
Affected products
22
Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809Microsoft Windows 10 Version 21h2+19 more
Timeline
PublishedJan 13
KEV addedJan 13
Latest updateJan 14
KEV dueFeb 3
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages22 packages

NVDmicrosoft/windows< 10.0.14393.8783+5
NVDmicrosoft/windows_10_1607< 10.0.14393.8783
NVDmicrosoft/windows_10_1809< 10.0.17763.8276
NVDmicrosoft/windows_10_21h2< 10.0.19044.6809
NVDmicrosoft/windows_10_22h2< 10.0.19045.6809

🔴Vulnerability Details

3
GHSA
GHSA-2x3m-95pj-8pg6: Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally2026-01-13
CVEList
Desktop Window Manager Information Disclosure Vulnerability2026-01-13
VulnCheck
Microsoft Windows Information Disclosure Vulnerability2026

📋Vendor Advisories

2
Microsoft
Desktop Window Manager Information Disclosure Vulnerability2026-01-13
CISA
Microsoft Windows Information Disclosure Vulnerability2026-01-13

🕵️Threat Intelligence

6
Krebs
Patch Tuesday, January 2026 Edition2026-01-14
Talos
Microsoft Patch Tuesday for January 2026 — Snort rules and prominent vulnerabilities2026-01-13
Talos
Microsoft Patch Tuesday for January 2026 — Snort rules and prominent vulnerabilities2026-01-13
Krebs
Patch Tuesday, January 2026 Edition2026-01-13
Wiz
CVE-2026-20805 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-20805 — Sensitive Information Exposure | cvebase