CVE-2026-20806

MEDIUM

Windows COM Server Information Disclosure Vulnerability

Title source: cna
STIX 2.1

Description

Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally.

References (1)

Scores

CVSS v3 5.5
EPSS 0.0010
EPSS Percentile 28.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-843
Status published
Products (26)
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8644
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7184
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7184
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6936
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6936
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.32690
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8246
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8246
Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1836
Microsoft/Windows Server 2019 10.0.17763.0 - 10.0.17763.8644
... and 16 more
Published Apr 14, 2026
Tracked Since Apr 14, 2026