CVE-2026-20851
published 2026-01-13CVE-2026-20851: Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally.
PriorityP430medium6.2CVSS 3.1
AVLACLPRNUINSUCHINAN
EPSS
0.57%
42.4th percentile
Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_24h2 | < 10.0.26100.7623 | 10.0.26100.7623 |
| microsoft | windows_11_25h2 | < 10.0.26200.7623 | 10.0.26200.7623 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.7623 | 10.0.26100.7623 |
| microsoft | windows_11_version_25h2 | >= 10.0.26200.0 < 10.0.26200.7623 | 10.0.26200.7623 |
| microsoft | windows_server_2025 | < 10.0.26100.32230 | 10.0.26100.32230 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.32230 | 10.0.26100.32230 |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_x64-based_systems | — | — |
| msrc | windows_server_2025 | — | — |
CVSS provenance
nvdv3.16.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_msrc6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5x4x-63j4-7rhv: Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally
ghsa_unreviewed·2026-01-13
CVE-2026-20851 [MEDIUM] CWE-125 GHSA-5x4x-63j4-7rhv: Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally
Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally.
Microsoft
Capability Access Management Service (camsvc) Information Disclosure Vulnerability
vendor_msrc·2026-01-13·CVSS 6.2
CVE-2026-20851 [MEDIUM] CWE-125 Capability Access Management Service (camsvc) Information Disclosure Vulnerability
Capability Access Management Service (camsvc) Information Disclosure Vulnerability
Description: Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally.
FAQ: What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.
Capability Access Management Service (camsvc): Capability Access Management Service (camsvc)
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5073379
Refe
No detection rules found.
No public exploits indexed.
Qualys
Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review
blogs_qualys·2026-01-13
Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review
## Table of Contents
Microsoft Patch Tuesday forJanuary2026
Adobe Patches for January 2026
Zero-day Vulnerabilities Patched inJanuaryPatch Tuesday Edition
Critical Severity Vulnerabilities Patched inJanuaryPatch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
EVALUATE Vendor-Suggested Mitigation withPolicy Audit(PA)
Qualys Monthly Webinar Series
Starting the year on a security-first note, Microsoft’s January 2026 Patch Tuesday resolves several vulnerabilities that could impact enterprise environments. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for January 2026
This month’s rel
Bleepingcomputer
Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
blogs_bleepingcomputer·2026-01-13·CVSS 5.5
[MEDIUM] Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
## Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
## Lawrence Abrams
57 Elevation of Privilege vulnerabilities
3 Security Feature Bypass vulnerabilities
22 Remote Code Execution vulnerabilities
22 Information Disclosure vulnerabilities
2 Denial of Service vulnerabilities
5 Spoofing vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include Microsoft Edge (1 flaw) and Mariner vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5074109 & KB5073455 cumulative updates and Windows 10 KB5073724 extended security update .
## 3 zero-days, one ex
Qualys
Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review | Qualys
blogs_qualys·2026-01-13
Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday forJanuary2026
- Adobe Patches for January 2026
- Zero-day Vulnerabilities Patched inJanuaryPatch Tuesday Edition
- Critical Severity Vulnerabilities Patched inJanuaryPatch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- EVALUATE Vendor-Suggested Mitigation withPolicy Audit(PA)
- Qualys Monthly Webinar Series
Starting the year on a security-first note, Microsoft’s January 2026 Patch Tuesday resolves several vulnerabilities that could impact enterprise environments. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for January 2026
Thi
Wiz
CVE-2026-20851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-20851 [MEDIUM] CVE-2026-20851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20851 :
vulnerability analysis and mitigation
Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally.
Source : NVD
## 6.2
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 6.2
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Free Vulnerability Assessment
## Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and id
2026-01-13
Published