CVE-2026-20851 is a vulnerability classified as CWE-125 (Out-of-bounds Read) found in the Capability Access Management Service (camsvc) component of Microsoft Windows Server 2025, specifically in Server Core installations. The flaw allows an unauthorized attacker with local access to the system to read memory beyond the intended buffer boundaries. This out-of-bounds read can lead to disclosure of sensitive information stored in memory, potentially including credentials, tokens, or other security-critical data. The vulnerability does not require any privileges (PR:N), user interaction (UI:N), or network access (AV:L indicates local access only), limiting the attack vector to local attackers or malware running on the system. The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The CVSS v3.1 base score is 6.2, indicating a medium severity primarily due to the high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N). The exploitability is considered low complexity (AC:L), and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026, with no patches currently linked, suggesting that organizations should prepare for imminent updates. The Server Core installation is a minimal Windows Server installation option commonly used in enterprise environments for improved security and reduced attack surface, making this vulnerability particularly relevant for organizations leveraging this configuration.

For European organizations, the primary impact of CVE-2026-20851 is the potential unauthorized disclosure of sensitive information from Windows Server 2025 Server Core installations. This could lead to leakage of credentials, tokens, or other confidential data that attackers could leverage for further attacks, such as privilege escalation or lateral movement. Although the vulnerability requires local access, it poses a risk in environments where multiple users have access to servers or where malware could gain local execution. Critical infrastructure sectors, financial institutions, and government agencies using Windows Server 2025 Server Core could face increased risk of data breaches or espionage. The lack of impact on integrity and availability reduces the risk of service disruption but does not diminish the importance of confidentiality breaches in sensitive environments. The medium severity rating reflects a moderate but significant threat that should be addressed promptly to prevent exploitation in targeted attacks.

1. Restrict local access to Windows Server 2025 Server Core systems by enforcing strict access controls and limiting administrative privileges. 2. Implement robust endpoint protection and monitoring to detect unusual local activity or attempts to exploit memory vulnerabilities. 3. Use application whitelisting and restrict execution of unauthorized code to reduce the risk of local exploitation. 4. Prepare for deployment of official patches from Microsoft by maintaining an up-to-date inventory of affected systems and testing patch compatibility in controlled environments. 5. Employ memory protection technologies such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to mitigate exploitation impact. 6. Conduct regular security audits and vulnerability assessments focusing on local privilege escalation and information disclosure vectors. 7. Educate system administrators about the risks of local vulnerabilities and the importance of minimizing local user access on critical servers.