—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Information Disclosure Vulnerability in Desktop Window Manager 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

Windows 10: Versions 1607, 1809, 21H2, and 22H2.

Windows 11: Versions 23H2, 24H2, and 25H2.

Windows Server: 2012, 2012 R2, 2016, 2019, 2022, 2022 (23H2 Edition), and 2025.

Overview

An information disclosure vulnerability has been reported in the Desktop Window Manager component of Microsoft Windows which could allow an authenticated local attacker to disclose sensitive information on the affected system.

Target Audience:

All organizations and individuals using affected Microsoft Windows operating systems.

Risk Assessment:

Medium risk of disclosure of sensitive system information that may aid further attacks.

Impact Assessment:

Potential for disclosure of sensitive information from system memory.

Description

Microsoft Desktop Window Manager (DWM) is a core Windows component responsible for rendering and managing graphical user interface elements.

An information disclosure vulnerability exists in the Desktop Window Manager due to improper handling of memory objects. An authenticated local attacker with low privileges could exploit this vulnerability to disclose sensitive memory information, potentially enabling bypass of security protections such as ASLR and facilitating further attacks.

Successful exploitation of this vulnerability could allow an authenticated local attacker to disclose sensitive information from the affected system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805

Vendor Information

Microsoft

https://www.microsoft.com/en-in/

References

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805

CVE Name

CVE-2026-20805

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlo9gEACgkQ3jCgcSdc

ys8+pBAAqZMQSAMadhngHjnybactfPMK7ZG/23y4AVe1DAzzBx5+9DOss5N6O+ok

gcb/Kof2IAQq1X+SdFgWmossX10CDYHyTuNlHHNyPjXcoHydz8qRu2Who4PfIrqT

hPjCqnD4Yd2DMNAq1ILCG4t4QtACcY5yaqX4UUBToYC5MLQBsp8V+tmcz15xTwkv

WXy4KTpK94lbtojJOlkxBAg4P0wLUJCzZb7uAWD57rnXY2/z5gu7IEgAK3P/Kyrq

YbGiGXt7DMX8pKpxIENsYAlWF/mdlC41B4KzZpo4FGW8Y1M7wfp8H3DAr52sdy67

3dEQHYRArscx1Bcn7qbAKyeAHOLaCUBmOoYyNhDupXQDYy5xLXMkmO8P+LHIeLB0

nkKIS8H9mrCiEIV9spuijM4Z6hR4KbdpnFUxr9ag6xbkIVoZAJOEXVZYBiL3oIuQ

njNZZKjajPHwrdPq3ic+exxaTPAw0hMcoN2zCV7/YIuIgK0Zmg9UcWaUPKU/aVgt

30wdsxfnM+W8UEO2D7DMZFRRL+7Bxh2ifBJ4I2FhAoveoWABFjpns9VwQ8nbDbWq

D/+CrT2cAwSfhCEUOvhY33eOJUzEON8qfY5d56+v+8I35HFX39IXHbJm5RYLepDK

aYnCcFWkdf8vnMeGDKMjMkci82KjIA1d5nkzdJ9gJvlKSy8ogX8=

=B8+Z

—–END PGP SIGNATURE—–