CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jan

Released

2026-01-13

EPSS Score

0.07% (percentile: 21.4%)

Description

Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker with the ability to modify certain directory attributes could provide crafted data that causes the system to reference invalid memory during authentication, potentially leading to a crash or other unintended behavior. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Affected Products (6)

Windows

• Windows Server 2025 (Server Core installation)
• Windows 11 Version 25H2 for ARM64-based Systems
• Windows 11 Version 25H2 for x64-based Systems
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025

Security Updates (2)

• 5073379
• 5074109

Acknowledgments

Howard McGreehan with MSRC V&M

Revision History

• 2026-01-13: Information published.