PatchSiren cyber security CVE debrief
CVE-2026-20864 Microsoft CVE debrief
A heap-based buffer overflow vulnerability exists in the Connected Devices Platform Service (Cdpsvc) on multiple Windows operating systems. The flaw allows an authorized attacker with local access to elevate privileges to SYSTEM level. The vulnerability was disclosed by Microsoft on January 13, 2026, with the NVD record subsequently modified on May 26, 2026. Microsoft has released security updates addressing this issue across affected Windows 10, Windows 11, and Windows Server versions. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) and carries a CVSS 3.1 score of 7.8 (High severity), reflecting significant impact to confidentiality, integrity, and availability with low attack complexity. No evidence of active exploitation or ransomware campaign use has been documented in available sources.
- Vendor
- Microsoft
- Product
- Windows 10 Version 1809
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-05-26
Who should care
Organizations running affected Windows versions with interactive local user access; security teams managing Windows endpoint and server patching programs; incident response teams monitoring for post-compromise privilege escalation activity
Technical summary
The Connected Devices Platform Service (Cdpsvc) contains a heap-based buffer overflow vulnerability that can be triggered by an authenticated local attacker. Successful exploitation results in elevation of privileges to SYSTEM. The service is a standard Windows component responsible for managing connected devices and their metadata. The vulnerability affects multiple Windows versions including Windows 10 (1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2), and Windows Server (2019, 2022, 2022 23H2, 2025). Microsoft has released patches that update Cdpsvc to non-vulnerable versions. The attack requires local access and low complexity, with no user interaction needed, making it attractive for attackers who have already gained initial foothold on a target system.
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates for affected Windows versions as specified in the vendor advisory to remediate this vulnerability
- Prioritize patching on systems where Cdpsvc is enabled and where local user accounts have interactive access
- Review systems running Windows 10 1809, 21H2, 22H2; Windows 11 23H2, 24H2, 25H2; and Windows Server 2019, 2022, 2022 23H2, and 2025 for applicable patch levels
- Consider implementing detection scripts for anomalous Cdpsvc behavior as supplementary monitoring
- Validate patch deployment through version verification: Windows 10 1809 should be at 10.0.17763.8276 or later; Windows 10 21H2 at 10.0.19044.6809 or later; Windows 10 22H2 at 10.0.19045.6809 or later; Windows 11 23H2 at
Evidence notes
The vulnerability is documented in the NVD with CPE configurations specifying affected Windows versions and patch levels. Microsoft has assigned this CVE and published a security advisory. Third-party security researchers at Vicarius have published detection and mitigation guidance. The CVSS vector confirms local attack vector with low complexity and high impact across all three security dimensions.
Official resources
-
CVE-2026-20864 CVE record
CVE.org
-
CVE-2026-20864 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
Microsoft disclosed this vulnerability on January 13, 2026. The NVD record was modified on May 26, 2026.