Micropatches released for Desktop Window Manager Elevation of Privilege Vulnerability (CVE-2026-20871)

January 2026 Windows Updates brought a patch for CVE-2026-20871, a local privilege escalation vulnerability in Desktop Window Manager, allowing a local unprivileged attacker to execute arbitrary code as System.
The vulnerability was anonymously reported to Microsoft through Trend Zero Day Initiative, but the official patch was reverse engineered and turned into a proof-of-concept by Joe Desimone of Elastic Security Labs. This, with a bit of our own effort, allowed us to reproduce the issue and create patches for legacy Windows users.
The Vulnerability
This is a use-after-free vulnerability in Desktop Window Manager, and can be reliably triggered by a local user. In essence, a malformed call to a DWM function can result in a CSuperWetInkManager::RemoveSource function call being bypassed, leaving a dangling pointer that can later be referenced. For more details see Joe's article.
Microsoft's Patch
Microsoft fixed this issue by making sure CSuperWetInkManager::RemoveSource function always gets called.
Our Patch
Our patch is logically identical to Microsoft's, just simpler.
Let's see our patch in action. First, with 0patch disabled, the attacker runs a POC that crashes the Desktop Window Manager. With 0patch enabled, the POC no longer succeeds.
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
Windows 11 v22H2 - fully updated
Windows 11 v21H2 - fully updated
Windows 10 v22H2 - updated to October 2025
Windows 10 v21H1 - fully updated
Windows 10 v20H2 - fully updated
Windows 10 v2004 - fully updated
Security-adopted Windows Server versions, and older Windows 10 and Windows 7 versions were found to be unaffected by this issue and thus required no patch.
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Joe Desimone for sharing their analysis and proof of concept, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.