CVE-2026-20859 Overview
CVE-2026-20859 is a use-after-free vulnerability [CWE-416] in Windows Kernel-Mode Drivers. An authenticated local attacker can exploit the flaw to elevate privileges on affected systems. Microsoft published the advisory on January 13, 2026, covering Windows 11 24H2, Windows 11 25H2, and Windows Server 2025.
Successful exploitation grants SYSTEM-level execution on the target host. The attacker requires prior local access with low privileges but does not need user interaction. The flaw impacts confidentiality, integrity, and availability.
Critical Impact
Local attackers with standard user accounts can obtain SYSTEM privileges by triggering a freed kernel object, gaining full control of the operating system.
Affected Products
- Microsoft Windows 11 24H2
- Microsoft Windows 11 25H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-01-13 - CVE-2026-20859 published to NVD
- 2026-01-13 - Microsoft releases security update via MSRC advisory
- 2026-01-15 - Last updated in NVD database
Technical Details for CVE-2026-20859
Vulnerability Analysis
The vulnerability resides in a Windows Kernel-Mode Driver and is classified under [CWE-416] Use After Free. The driver releases a kernel object but retains a dangling reference. Subsequent operations dereference the freed memory, allowing an attacker who controls the reallocated region to manipulate kernel data structures.
Exploitation occurs entirely on the local system. The attacker must hold valid credentials and execute code in a low-privileged user context. No user interaction is required to trigger the unsafe free-and-reuse pattern.
Kernel use-after-free conditions typically allow attackers to corrupt function pointers, security tokens, or object headers. By spraying the kernel pool with attacker-controlled data, the freed slot is replaced with a forged object. The kernel then operates on attacker-supplied fields with ring-0 privileges.
Root Cause
The root cause is improper object lifetime management within a kernel-mode driver shipped with Windows 11 24H2, 25H2, and Server 2025. A reference to a kernel allocation persists after the allocation is freed. Concurrent driver code paths reuse the stale pointer without revalidation, producing a write or call against attacker-controlled memory.
Attack Vector
The attack vector is local with low attack complexity. An attacker authenticated to the system invokes the vulnerable driver interface, typically through DeviceIoControl calls or syscall paths that reach the affected driver. Triggering the free in one thread while a second thread holds the stale reference is the canonical exploitation pattern for this class of bug.
No public proof-of-concept has been released, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is low, reflecting the absence of observed in-the-wild exploitation at publication.
No verified exploit code is available. See the Microsoft Security Update CVE-2026-20859 advisory for vendor technical details.
Detection Methods for CVE-2026-20859
Indicators of Compromise
- Unexpected SYSTEM-level processes spawned from user-context parent processes such as cmd.exe, powershell.exe, or unsigned binaries in writable user directories.
- Kernel bug check events (BSOD) with stop codes related to pool corruption or DRIVER_VERIFIER_DETECTED_VIOLATION on affected Windows builds.
- Anomalous DeviceIoControl activity targeting kernel driver device objects from non-administrative processes.
Detection Strategies
- Monitor for token-swapping behavior in which a process suddenly executes with NT AUTHORITY\SYSTEM integrity after starting at Medium integrity.
- Enable Driver Verifier on test images to surface use-after-free conditions in the affected kernel-mode driver during validation.
- Correlate Windows Event Log entries for service crashes, driver faults, and privilege assignment changes (Event ID 4672) tied to unusual accounts.
Monitoring Recommendations
- Deploy endpoint detection and response (EDR) telemetry that records process token elevation events and parent-child process lineage.
- Track Sysmon Event ID 1 and Event ID 10 for processes accessing kernel driver handles with elevated rights.
- Audit installation and load events for kernel-mode drivers, focusing on unsigned or recently introduced drivers (Event ID 6).
How to Mitigate CVE-2026-20859
Immediate Actions Required
- Apply the January 2026 Microsoft security update referenced in the MSRC advisory to all Windows 11 24H2, 25H2, and Windows Server 2025 hosts.
- Inventory affected systems using configuration management tooling to confirm patch deployment across endpoints and servers.
- Restrict local interactive logon rights on sensitive servers, since exploitation requires authenticated local access.
Patch Information
Microsoft published the official fix on January 13, 2026. Administrators should install the cumulative update for Windows 11 24H2, Windows 11 25H2, and Windows Server 2025 as documented in the Microsoft Security Update CVE-2026-20859 guidance. No alternative vendor patch exists.
Workarounds
- No official workaround has been published by Microsoft; patching is the only supported remediation.
- Enforce least-privilege account policies and remove unnecessary local user accounts to reduce the attacker pool capable of triggering the flaw.
- Enable Windows Defender Application Control or AppLocker to limit execution of untrusted binaries that could deliver an exploit payload.
# Verify the January 2026 cumulative update is installed on Windows hosts
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Confirm OS build matches a patched version for Windows 11 24H2 / 25H2 / Server 2025
Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
