CVE-2026-20875

Q: What is the severity of CVE-2026-20875?

CVE-2026-20875 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in Windows LSASS allows attackers to cause a denial of service by crashing the service. This affects Windows systems where LSASS is running, potentially disrupting authentication and security policy enforcement.

7.5 HIGH

Denial of Service

📋 TL;DR

A null pointer dereference vulnerability in Windows LSASS allows attackers to cause a denial of service by crashing the service. This affects Windows systems where LSASS is running, potentially disrupting authentication and security policy enforcement.

💻 Affected Systems

Products:

Windows Local Security Authority Subsystem Service (LSASS)

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows Server, Windows Client versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows systems with LSASS running are potentially affected; exact version ranges should be verified via Microsoft advisory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

LSASS crashes, causing system-wide authentication failures, inability to log in, and disruption of security policies until system restart.

🟠

Likely Case

Temporary denial of service affecting authentication and security policy processing until LSASS restarts automatically or manually.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring; LSASS may restart automatically with minimal disruption.

🌐 Internet-Facing: MEDIUM - Attackers could exploit this over network if LSASS is exposed, but typical configurations limit direct internet access.

🏢 Internal Only: HIGH - Internal attackers or compromised systems on the network could exploit this to disrupt authentication services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to LSASS; authentication requirements depend on specific service configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20875

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft
2. Restart affected systems to complete patch installation
3. Verify LSASS service is running normally after restart

🔧 Temporary Workarounds

Restrict LSASS Network Access

windows

Limit network access to LSASS using Windows Firewall to reduce attack surface

New-NetFirewallRule -DisplayName "Block LSASS Remote" -Direction Inbound -Program "%SystemRoot%\System32\lsass.exe" -Action Block

Monitor LSASS Health

windows

Implement monitoring to detect and alert on LSASS crashes or restarts

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running LSASS from untrusted networks
Deploy additional monitoring and alerting for LSASS service state changes and crashes

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for applied patches referencing CVE-2026-20875 or verify system version against Microsoft advisory

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch is installed via Windows Update history and confirm LSASS service is running stable version

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 or 1001 in Application logs indicating lsass.exe crash
Unexpected LSASS service restarts in System logs

Network Indicators:

Unusual network connections to LSASS process (port 445/tcp or other authentication ports)
Multiple failed authentication attempts preceding service disruption

SIEM Query:

source="windows" (event_id=1000 OR event_id=1001) process_name="lsass.exe"

📊 Metadata

CVE ID: CVE-2026-20875

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.17% exploit probability (37.6th percentile)

Published: January 13, 2026

Last Updated: January 15, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20875 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict LSASS Network Access

Monitor LSASS Health

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities