TLP:CLEAR-[ngCERT SECURITY ADVISORY ON ACTIVELY EXPLOITED INFORMATION DISCLOSURE VULNERABILITY IN WINDOWS DESKTOP WINDOW MANAGER]

Advisory ID:   ngCERT-2026-010002

SUMMARY/DESCRIPTION

ngCERT alerts organisations and users to an actively exploited zero-day vulnerability affecting Microsoft Windows Desktop Window Manager (DWM). DWM is a core Windows service responsible for managing visual effects, window composition, and graphical rendering in the operating system. The Vulnerability tracked as CVE-2026-20805 arises from improper handling of Advanced Local Procedure Call (ALPC) messages within the DWM service. An attacker with local access can send crafted ALPC requests that trigger memory disclosure, returning internal pointers and heap/base address details. While it does not directly permit remote code execution or privilege escalation in isolation, it can be leveraged to bypass core exploit mitigations such as Address Space Layout Randomization (ASLR). This significantly increases the reliability of subsequent exploit chains. This advisory provides details on the issue, its impact and recommended solutions.

Damage:      Critical 

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Successful exploitation of this vulnerability could lead to:

1. SLR Bypass: Leaking memory layout information directly undermines ASLR, a fundamental memory-hardening technique used to defend against buffer overflows and ROP attacks.
2. Facilitated Exploitation: By revealing internal addresses, attackers can craft reliable exploits for other locally or remotely accessible vulnerabilities, increasing the likelihood of full system compromise.
3. Exploit Chaining: It initiates multi-stage exploit chains, particularly in post-compromise lateral movement, privilege escalation, or persistence scenarios.
4. Enterprise Risk: In corporate environments where attackers may already have footholds (e.g., via phishing or compromised credentials), this vulnerability strengthens the adversary’s ability to deepen access.
5. Active Exploitation: Public reporting confirms active exploitation in the wild before patch deployment, underscoring real-world risk.

SOLUTION/MITIGATION

The following are recommended:

1. Apply security updates immediately: Microsoft’s January 2026 Patch Tuesday updates for CVE-2026-20805 should be applied immediately to remediate the flaw.
2. Restrict Local Access: Limit user accounts with local login to trusted personnel and use endpoint access controls to reduce exploit opportunities.
3. Harden Processes: Employ Endpoint Detection and Response (EDR) with ALPC/DWM monitoring rules to detect suspicious interactions with DWM.
4. Least Privilege: Review and enforce least privilege for all user accounts and services.
5. Behavioural Monitoring: Monitor systems for unusual ALPC traffic patterns or unauthorized inter-process communications with dwm.exe
6. ASLR-Aware Protections: Ensure other Microsoft security features, such as Virtualisation-Based Security (VBS) and Hypervisor Enforcement Code Integrity (HVCI), are enabled where supported.
7. Patch Management: Incorporate timely patch deployment and vulnerability scanning into standard operations.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805
• Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited
• https://www.rapid7.com/blog/post/em-patch-tuesday-january-2026/