CVE-2026-20875: CWE-476: NULL Pointer Dereference in Microsoft Windows 10 Version 1809
Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
AI Analysis
Technical Summary
CVE-2026-20875 is a vulnerability classified under CWE-476 (NULL Pointer Dereference) affecting the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows 10 Version 1809 (build 10.0.17763.0). LSASS is a critical component responsible for enforcing security policies, handling authentication, and managing user logins. The flaw arises when LSASS dereferences a NULL pointer, which leads to an unhandled exception causing the service to crash. Since LSASS is integral to system security and stability, its crash results in a denial of service (DoS) condition, potentially forcing the system to reboot or become unresponsive. The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction, making it accessible to unauthenticated attackers. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation (low attack complexity), no privileges required, and significant impact on availability, though confidentiality and integrity remain unaffected. No public exploits or patches are currently available, but the vulnerability is officially published and tracked. This issue primarily affects legacy Windows 10 installations, which may still be present in certain enterprise or industrial environments. The lack of patches necessitates proactive mitigation to prevent potential exploitation.
Potential Impact
The primary impact of CVE-2026-20875 is a denial of service condition caused by crashing LSASS, which can lead to system instability, forced reboots, or complete unavailability of affected Windows 10 Version 1809 systems. For European organizations, this could disrupt critical business operations, especially in sectors relying on legacy Windows systems such as manufacturing, healthcare, or government agencies. The vulnerability does not expose sensitive data or allow privilege escalation, but the loss of availability can halt services, impact productivity, and cause downtime. Network-exposed systems running this Windows version are particularly vulnerable to remote DoS attacks, which could be leveraged in targeted campaigns or opportunistic attacks. The absence of known exploits reduces immediate risk, but the ease of exploitation and critical nature of LSASS make this a significant threat if weaponized. Organizations with legacy infrastructure or slow patch cycles are at higher risk of operational impact.
Mitigation Recommendations
1. Upgrade affected systems to a supported and patched version of Windows 10 or later to eliminate the vulnerability. 2. If upgrading is not immediately feasible, implement network segmentation and firewall rules to restrict access to LSASS-related services (such as RPC and other authentication endpoints) from untrusted networks. 3. Employ intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious traffic targeting LSASS. 4. Regularly audit and inventory systems to identify those still running Windows 10 Version 1809 and prioritize remediation. 5. Apply any Microsoft security advisories or hotfixes promptly once available. 6. Use endpoint protection solutions capable of detecting abnormal LSASS crashes or exploitation attempts. 7. Educate IT staff about the vulnerability to ensure rapid response to any signs of exploitation or system instability. 8. Consider deploying network-level rate limiting or anomaly detection to mitigate potential DoS attempts targeting LSASS.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands
CVE-2026-20875: CWE-476: NULL Pointer Dereference in Microsoft Windows 10 Version 1809
Description
Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
AI-Powered Analysis
Technical Analysis
CVE-2026-20875 is a vulnerability classified under CWE-476 (NULL Pointer Dereference) affecting the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows 10 Version 1809 (build 10.0.17763.0). LSASS is a critical component responsible for enforcing security policies, handling authentication, and managing user logins. The flaw arises when LSASS dereferences a NULL pointer, which leads to an unhandled exception causing the service to crash. Since LSASS is integral to system security and stability, its crash results in a denial of service (DoS) condition, potentially forcing the system to reboot or become unresponsive. The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction, making it accessible to unauthenticated attackers. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation (low attack complexity), no privileges required, and significant impact on availability, though confidentiality and integrity remain unaffected. No public exploits or patches are currently available, but the vulnerability is officially published and tracked. This issue primarily affects legacy Windows 10 installations, which may still be present in certain enterprise or industrial environments. The lack of patches necessitates proactive mitigation to prevent potential exploitation.
Potential Impact
The primary impact of CVE-2026-20875 is a denial of service condition caused by crashing LSASS, which can lead to system instability, forced reboots, or complete unavailability of affected Windows 10 Version 1809 systems. For European organizations, this could disrupt critical business operations, especially in sectors relying on legacy Windows systems such as manufacturing, healthcare, or government agencies. The vulnerability does not expose sensitive data or allow privilege escalation, but the loss of availability can halt services, impact productivity, and cause downtime. Network-exposed systems running this Windows version are particularly vulnerable to remote DoS attacks, which could be leveraged in targeted campaigns or opportunistic attacks. The absence of known exploits reduces immediate risk, but the ease of exploitation and critical nature of LSASS make this a significant threat if weaponized. Organizations with legacy infrastructure or slow patch cycles are at higher risk of operational impact.
Mitigation Recommendations
1. Upgrade affected systems to a supported and patched version of Windows 10 or later to eliminate the vulnerability. 2. If upgrading is not immediately feasible, implement network segmentation and firewall rules to restrict access to LSASS-related services (such as RPC and other authentication endpoints) from untrusted networks. 3. Employ intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious traffic targeting LSASS. 4. Regularly audit and inventory systems to identify those still running Windows 10 Version 1809 and prioritize remediation. 5. Apply any Microsoft security advisories or hotfixes promptly once available. 6. Use endpoint protection solutions capable of detecting abnormal LSASS crashes or exploitation attempts. 7. Educate IT staff about the vulnerability to ensure rapid response to any signs of exploitation or system instability. 8. Consider deploying network-level rate limiting or anomaly detection to mitigate potential DoS attempts targeting LSASS.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-12-03T05:54:20.387Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69668ae1a60475309f9ae172
Added to database: 1/13/2026, 6:11:45 PM
Last enriched: 2/4/2026, 8:53:55 AM
Last updated: 2/7/2026, 11:30:43 AM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.