CVE-2026-20828

Q: What is the severity of CVE-2026-20828?

CVE-2026-20828 has a CVSS score of 4.6 (MEDIUM). This vulnerability allows an unauthorized attacker with physical access to a Windows system to read memory beyond intended boundaries through Windows Internet Connection Sharing (ICS), potentially disclosing sensitive information. It affects Windows systems with ICS enabled. The risk is limited to attackers with physical access to vulnerable systems.

4.6 MEDIUM

📋 TL;DR

This vulnerability allows an unauthorized attacker with physical access to a Windows system to read memory beyond intended boundaries through Windows Internet Connection Sharing (ICS), potentially disclosing sensitive information. It affects Windows systems with ICS enabled. The risk is limited to attackers with physical access to vulnerable systems.

💻 Affected Systems

Products:

Windows Internet Connection Sharing (ICS)

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Internet Connection Sharing feature is enabled and configured. Not all Windows installations have ICS enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access could read sensitive memory contents, potentially exposing credentials, encryption keys, or other confidential data stored in memory.

🟠

Likely Case

Limited information disclosure from adjacent memory locations, possibly revealing non-critical system information or application data.

🟢

If Mitigated

No impact if physical access controls prevent unauthorized access to systems or if ICS is disabled.

🌐 Internet-Facing: LOW - Requires physical access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access required, but insider threats or unauthorized physical access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires physical access to the system and knowledge of how to trigger the out-of-bounds read condition in ICS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20828

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart the system to complete the installation. 3. Verify the update was successfully applied using Windows Update history.

🔧 Temporary Workarounds

Disable Internet Connection Sharing

windows

Disable the ICS feature to eliminate the vulnerability vector

netsh wlan set hostednetwork mode=disallow
Disable ICS through Network Connections properties

🧯 If You Can't Patch

Disable Internet Connection Sharing feature on all vulnerable systems
Implement strict physical access controls to prevent unauthorized physical access to systems

🔍 How to Verify

Check if Vulnerable:

Check if ICS is enabled in Network Connections properties or via 'netsh wlan show hostednetwork' command

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security update KB number

📡 Detection & Monitoring

Log Indicators:

Unexpected ICS service crashes
Memory access violations in system logs
Unauthorized physical access events

Network Indicators:

Unusual ICS configuration changes
ICS service restart patterns

SIEM Query:

EventID=1000 OR EventID=1001 Source="Application Error" AND Process Name contains "svchost" AND Command Line contains "ics"

📊 Metadata

CVE ID: CVE-2026-20828

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.06% exploit probability (19.2th percentile)

Published: January 13, 2026

Last Updated: January 15, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20828 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Internet Connection Sharing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities