CVE-2026-20875 is a vulnerability identified in Microsoft Windows 10 Version 1607, specifically affecting the Local Security Authority Subsystem Service (LSASS). The issue is a null pointer dereference (CWE-476), which occurs when the LSASS process attempts to access or dereference a pointer that is null, leading to a system crash or denial of service. LSASS is a critical Windows component responsible for enforcing security policies, handling authentication, and managing user logins. The vulnerability can be triggered remotely over the network without requiring any authentication or user interaction, making it a network-based denial of service vector. The CVSS v3.1 base score is 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to availability (A:H), with no confidentiality or integrity impact. The vulnerability was reserved in December 2025 and published in January 2026. No patches or known exploits are currently available, but the vulnerability poses a risk to systems still running this legacy Windows 10 version. Exploiting this flaw could cause LSASS to crash, resulting in system instability or forced reboots, disrupting business operations and potentially causing downtime in critical environments.

The primary impact of CVE-2026-20875 is denial of service, which can disrupt availability of affected Windows 10 Version 1607 systems. Since LSASS is a core security process, its failure can cause system crashes or forced reboots, leading to downtime and potential loss of productivity. Organizations relying on legacy Windows 10 installations, especially in environments where uptime is critical (e.g., industrial control systems, healthcare, financial services), may face operational disruptions. Although the vulnerability does not expose sensitive data or allow privilege escalation, the ease of remote exploitation without authentication increases the risk of widespread DoS attacks. Attackers could leverage this flaw to disrupt services, cause interruptions in authentication services, or create denial of service conditions in enterprise networks. The lack of known exploits in the wild currently limits immediate risk, but unpatched systems remain vulnerable to future attack development.

To mitigate CVE-2026-20875, organizations should prioritize upgrading or patching affected Windows 10 Version 1607 systems as soon as Microsoft releases a security update addressing this vulnerability. In the absence of a patch, network-level mitigations can reduce exposure: restrict inbound traffic to LSASS-related services using firewalls or network segmentation, especially from untrusted networks. Employ intrusion detection/prevention systems (IDS/IPS) to monitor and block anomalous traffic patterns targeting LSASS. Disable or limit legacy protocols and services that may expose LSASS to remote access. Regularly audit and inventory systems to identify any running Windows 10 Version 1607 and plan for migration to supported Windows versions with active security updates. Implement robust network access controls and monitoring to detect potential exploitation attempts. Additionally, maintain comprehensive backups and incident response plans to quickly recover from potential denial of service incidents.