CVE-2026-20854: Windows 11 24h2 Use-After-Free Flaw

CVE-2026-20854 Overview

CVE-2026-20854 is a use-after-free vulnerability [CWE-416] in the Windows Local Security Authority Subsystem Service (LSASS). The flaw allows an authenticated attacker to execute arbitrary code over a network against affected Windows 11 and Windows Server 2025 systems. Microsoft published the advisory on January 13, 2026.

LSASS handles authentication, password changes, and access token generation on Windows hosts. Successful exploitation grants code execution within a highly privileged system component. Attack complexity is rated high, which reflects the timing or memory state conditions an attacker must satisfy to trigger the freed object reuse.

Critical Impact
Authenticated attackers who win the required race condition can execute code in LSASS over the network, compromising confidentiality, integrity, and availability of the targeted host.

Affected Products

Microsoft Windows 11 version 24H2
Microsoft Windows 11 version 25H2
Microsoft Windows Server 2025

Discovery Timeline

2026-01-13 - CVE-2026-20854 published to NVD
2026-01-15 - Last updated in NVD database

Technical Details for CVE-2026-20854

Vulnerability Analysis

The vulnerability resides in LSASS, the lsass.exe process responsible for enforcing the Windows security policy. A use-after-free condition occurs when LSASS continues to reference a memory object after that object has been freed. An attacker who controls the allocation pattern can place attacker-influenced data into the freed region before the dangling pointer is dereferenced.

Reaching the vulnerable code path requires valid credentials on the target, since the attacker must authenticate to LSASS over the network. Exploitation impacts confidentiality, integrity, and availability of the host because LSASS runs with SYSTEM-equivalent privileges. The flaw maps to CWE-416, the standard classification for use-after-free defects.

Microsoft has not reported public exploitation, and no proof-of-concept code is currently available.

Root Cause

The root cause is improper object lifetime management inside LSASS. Code paths release a memory object while another code path retains a reference to it. When the stale reference is later used, the allocator may have reissued the memory to attacker-controlled data, allowing the dereference to redirect execution or corrupt state.

Attack Vector

The attack vector is Network with Low privileges required and no user interaction. An authenticated remote attacker sends crafted authentication or RPC traffic to LSASS to drive the allocation and free sequence required to trigger the dangling pointer. Attack complexity is High because the attacker must reliably control memory layout and timing across the targeted LSASS process.

No verified exploit code is publicly available. Refer to the Microsoft CVE-2026-20854 Advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-20854

Indicators of Compromise

Unexpected crashes, restarts, or Watson error reports involving lsass.exe on Windows 11 24H2, 25H2, or Windows Server 2025.
Anomalous inbound authentication or RPC traffic to LSASS from accounts that do not normally interact with domain controllers or member servers.
New child processes spawned by lsass.exe, which is highly unusual on a healthy system.

Detection Strategies

Monitor Windows Error Reporting and Application event logs for repeated faults in lsass.exe or modules it loads.
Hunt for credential-backed network sessions that immediately precede LSASS instability or memory anomalies.
Correlate authentication telemetry with EDR process and memory events to identify exploitation attempts against LSASS.

Monitoring Recommendations

Enable LSASS protection (RunAsPPL) and Credential Guard where supported, and alert on tampering with these settings.
Forward Sysmon process, image-load, and ProcessAccess events targeting lsass.exe to a centralized analytics platform.
Track failed and successful authentications from new or rarely seen source hosts against high-value servers.

How to Mitigate CVE-2026-20854

Immediate Actions Required

Apply the Microsoft security update referenced in the Microsoft CVE-2026-20854 Advisory to all Windows 11 24H2, 25H2, and Windows Server 2025 hosts.
Prioritize patching of domain controllers, identity servers, and any system exposing authentication services to broad network segments.
Rotate credentials for privileged accounts on systems that exhibited LSASS instability prior to patching.

Patch Information

Microsoft has released fixes through the Security Update Guide. Administrators should consult the Microsoft CVE-2026-20854 Advisory for the specific KB articles and build numbers that correspond to Windows 11 24H2, Windows 11 25H2, and Windows Server 2025.

Workarounds

Restrict inbound access to LSASS-related ports (SMB, RPC, LDAP, Kerberos) using host firewalls and network segmentation until patching completes.
Enforce LSASS protection (RunAsPPL) and Credential Guard to raise the cost of exploitation and credential theft.
Require strong authentication and limit accounts that can authenticate to sensitive servers to reduce the population of users capable of triggering the vulnerable code path.

bash

# Enable LSASS as a protected process (PPL) via the registry
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 2 /f

# Verify pending Windows updates are installed
Get-WindowsUpdate -Install -AcceptAll -AutoReboot