Actively Exploited Zero-Day Vulnerability in Windows Desktop Window Manager
CVE-2026-20955 and CVE-2026-20957 are Critical remote code execution vulnerabilities in Microsoft Excel, both with CVSS scores of 7.8. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting an untrusted pointer dereference weakness (CVE-2026-20955) and an integer underflow leading to a heap-based buffer overflow (CVE-2026-20957) in Microsoft Office Excel components. Exploitation requires user interaction; an attacker must send a malicious file and convince the target user to open it. Unlike the Word vulnerability CVE-2026-20944, the preview pane is not an attack vector for either of these Excel vulnerabilities.
This vulnerability enables authenticated local attackers with low-level privileges to escalate to SYSTEM-level access through a stack-based buffer overflow in Agere Soft Modem drivers. Successful exploitation allows attackers to gain complete control over affected Windows systems.
| Severity | CVSS Score | CVE | Description |
| Important | 5.5 | CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
Publicly Disclosed Zero-Day Vulnerability in Windows Agere Soft Modem
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
CVE-2023-31096 is an Important elevation of privilege vulnerability affecting Windows Agere Soft Modem drivers with a CVSS score of 7.8. While it has been publicly disclosed, there is no evidence of exploitation in the wild.
CVE-2026-20944 is a Critical remote code execution vulnerability in Microsoft Word with a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting an out-of-bounds read weakness in Microsoft Office Word components. Exploitation requires user interaction: an attacker must send a malicious file and convince the target user to open it, with the preview pane serving as an attack vector for this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2023-31096 | Agere Soft Modem Driver Elevation of Privilege Vulnerability |
Publicly Disclosed Zero-Day Vulnerability in Windows Secure Boot
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
CVE-2026-20822 is a Critical elevation of privilege vulnerability in Windows Graphics Component with a CVSS score of 7.8. This vulnerability allows authenticated attackers with low privileges to elevate to SYSTEM privileges by exploiting a use-after-free condition in the Microsoft Graphics Component. Exploitation requires no user interaction but has high attack complexity, as successful exploitation requires the attacker to win a race condition. In virtualized GPU environments, an attacker who successfully exploits this vulnerability could break out of a virtual machine and gain access to the underlying host system.
| Severity | CVSS Score | CVE | Description |
| Important | 6.4 | CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
Two Critical Vulnerabilities in Microsoft Office
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
Three Critical Vulnerabilities in Microsoft Office Products
Microsoft has addressed this vulnerability by removing the Agere Soft Modem drivers in the January 2026 cumulative update. As a result, soft modem hardware dependent on these drivers will no longer function on Windows.
CVE-2026-20854 is a Critical remote code execution vulnerability in Windows Local Security Authority Subsystem Service (LSASS) with a CVSS score of 7.5. This vulnerability allows authenticated attackers with low privileges to execute arbitrary code over a network by exploiting a use-after-free condition (CWE-416) in Windows LSASS. Any authenticated attacker can trigger this vulnerability by modifying certain directory attributes to provide crafted data that causes the system to reference invalid memory during authentication, potentially leading to a crash or remote code execution. Successful exploitation requires high attack complexity, as the attacker must prepare the target environment to improve exploit reliability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
A Critical Vulnerability in Windows Graphics
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
Two Critical Vulnerabilities in Windows Security Components
CVE-2026-21265 is an Important security feature bypass vulnerability affecting Windows Secure Boot with a CVSS score of 6.4. This vulnerability allows authenticated local attackers with high privileges to bypass security features by exploiting weaknesses in the certificate update mechanism through local access to the system. While it has been publicly disclosed, there is no evidence of active exploitation in the wild.
The vulnerability allows local attackers with basic user privileges to access sensitive system memory addresses through Windows internal communication channels. This information can help attackers bypass security protections or enable more sophisticated attacks. The vulnerability is easy to exploit, requiring only local access with no user interaction, and affects multiple versions of Windows 10, Windows 11, and Windows Server systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| Critical | 6.7 | CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
Defects in the certificate update mechanism’s firmware components could disrupt the Secure Boot trust chain. Successful exploitation requires high attack complexity and could allow attackers to bypass Secure Boot protections. Microsoft has released an official fix and detailed guidance for both Microsoft-managed and IT-managed Windows devices.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
CVE-2026-20952 and CVE-2026-20953 are Critical remote code execution vulnerabilities in Microsoft Office, both with CVSS scores of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting use-after-free conditions in Microsoft Office components. Exploitation requires no user interaction in the worst-case scenario and can be triggered by sending specially crafted malicious emails or links to the target user, with the preview pane serving as an attack vector for both vulnerabilities. In the most severe attack scenario, an attacker could send a specially crafted email without requiring the victim to open the link, resulting in remote code execution on the victim’s machine.
CVE-2026-20876 is a Critical elevation of privilege vulnerability in Windows Virtualization-Based Security (VBS) Enclave with a CVSS score of 6.7. This vulnerability allows attackers who already have administrator access to break into the system’s most protected security layer, which is designed to safeguard critical functions like password protection and security features even when the system is compromised. The attack is relatively straightforward to execute and requires no user interaction.
Learn More
CVE-2026-20805 is an Important information disclosure vulnerability affecting Windows Desktop Window Manager with a CVSS score of 5.5. Microsoft has confirmed this vulnerability is being actively exploited in the wild.
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
About CVSS Scores
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
