CVE-2026-20854 - Vulnerability Details

- Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Description

Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.

Published: 2026-01-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a use‑after‑free flaw in the Windows Local Security Authority Subsystem Service (LSASS). An attacker who can obtain an authorized session is able to craft a payload that causes LSASS to execute arbitrary code through the network. The resulting impact is the complete compromise of the system’s confidentiality, integrity, and availability, as the attacker can run commands with LSASS privileges. The weakness is characterized by CWE‑416, indicating a use‑after‑free condition.

Affected Systems

Microsoft products affected are Windows 11 24H2 and 25H2, as well as Windows Server 2025 and its Server Core installation. The vulnerability applies to all builds of these versions that have not yet applied the Microsoft security update referenced in the official advisory.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is below 1%, suggesting that exploitation attempts are currently unlikely. It is not listed in CISA’s KEV catalog. The likely attack vector requires the attacker to obtain some authorized access to the target machine, after which the use‑after‑free flaw can be triggered over a network connection to execute arbitrary code with LSASS privileges. This remote code execution threat can compromise confidentiality, integrity, and availability of the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows 11 Version 24H2

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.7623

Microsoft

Windows 11 Version 25H2

affected

Version	Status	Constraints
`10.0.26200.0`	affected	< 10.0.26200.7623

Microsoft

Windows Server 2025

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32230

Microsoft

Windows Server 2025 (Server Core installation)

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32230

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_11_24h2::::::::
	cpe:2.3:o:microsoft:windows_11_25h2::::::::
	cpe:2.3:o:microsoft:windows_server_2025::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Microsoft security update for CVE‑2026‑20854 via Windows Update or the Microsoft Update Catalog.
Configure network firewall rules to allow inbound traffic to the LSASS process only from trusted hosts within the organization’s perimeter.
Enable Windows Defender Exploit Guard or AppLocker to restrict LSASS execution to approved binaries and prevent abuse of the vulnerable component.

Generated by OpenCVE AI on April 16, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854

History

Thu, 15 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows 11 24h2 Microsoft windows 11 25h2
CPEs		cpe:2.3:o:microsoft:windows_11_24h2:::::::: cpe:2.3:o:microsoft:windows_11_25h2::::::::
Vendors & Products		Microsoft windows 11 24h2 Microsoft windows 11 25h2

Tue, 13 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.
Title		Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
First Time appeared		Microsoft Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows Server 2025
Weaknesses		CWE-416
CPEs		cpe:2.3:o:microsoft:windows_11_24H2:::::::arm64:* cpe:2.3:o:microsoft:windows_11_25H2:::::::arm64:* cpe:2.3:o:microsoft:windows_server_2025::::::::
Vendors & Products		Microsoft Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows Server 2025
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2025

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-01-13T17:56:54.915Z

Updated: 2026-04-01T13:49:05.396Z

Reserved: 2025-12-03T05:54:20.378Z

Link: CVE-2026-20854

Vulnrichment

Updated: 2026-01-13T20:19:14.731Z

NVD

Status : Analyzed

Published: 2026-01-13T18:16:14.153

Modified: 2026-01-15T13:27:10.630

Link: CVE-2026-20854

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object