Federal agencies ordered to patch Microsoft Desktop Windows Manager bug
U.S. government agencies have been ordered to patch a vulnerability impacting Microsoft’s Desktop Windows Manager after it was confirmed the bug has been exploited by threat actors.
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability, tracked as CVE-2026-20805, to its exploited bugs catalog on Tuesday.
It was one of 113 vulnerabilities disclosed by Microsoft as part of the first Patch Tuesday batch of 2026.
Federal civilian agencies will have until February 3 to patch the vulnerability. The Desktop Windows Manager (DWM) enables visual effects on a Microsoft desktop as well as various other features. It is a key part of how windows appear on a user’s screen.
Kev Breen, senior director of cyberthreat research at Immersive, said that while the bug’s severity score of 5.5 out of 10 is low, the flaw does lead to the leakage of information.
“Vulnerabilities of this nature are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits,” he explained.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack.”
He noted that Microsoft did not disclose what additional components may be involved in the exploit chain, “significantly limiting defenders’ ability to proactively threat hunt for related activity.”
Tenable’s Satnam Narang added that exploitation of CVE-2026-20805 requires the attacker to have local access to the targeted system. Narang told Recorded Future News that DWM is a “frequent flyer” on Patch Tuesday — with 20 CVEs patched since 2022. But this is the first time there has been an information disclosure bug in this component exploited in the wild.
The DWM process runs with elevated privileges because it needs them to do its job, according to Automox’s Ryan Braunstein, meaning attackers will not need administrative privileges to exploit it.
Braunstein said attackers will likely leverage any application capable of drawing windows to trigger the vulnerability before using the information disclosure to gather data for further attacks.
CISA has added three other bugs to the Known Exploited Vulnerabilities catalog in 2026.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.