嗯,用户让我用中文总结这篇文章,控制在100字以内,而且不需要用“文章内容总结”之类的开头。好的,首先我需要通读一下文章内容。 文章讲的是美国CISA机构将一个影响微软Windows的漏洞加入到他们的已知被利用漏洞目录中。这个漏洞的编号是CVE-2026-20805,CVSS评分为8.7。微软在1月份的安全更新中发布了112个CVE,涉及多个产品,包括Windows、Office、Azure等。其中CVE-2026-20805已经被积极利用,它允许攻击者泄露内存信息,虽然不能直接运行恶意代码,但可以帮助绕过安全保护,进而进行更严重的攻击。 CISA要求联邦机构在2月3日前修复这个漏洞,并建议私营组织也检查和修复漏洞。专家们推荐私营组织查看目录并处理基础设施中的漏洞。 现在我要把这些信息浓缩到100字以内。重点包括:CISA将Windows漏洞加入目录,漏洞编号和评分,微软发布多个CVE,其中这个漏洞被利用的情况以及影响,CISA的修复截止日期。 可能的结构是:CISA将Windows漏洞加入目录,该漏洞被积极利用,允许内存信息泄露,帮助攻击绕过安全措施。微软发布多 CVE 更新。CISA要求联邦机构在特定日期前修复。 检查一下字数是否合适,并确保没有使用不需要的开头。 </think> 美国网络安全和基础设施安全局(CISA)将一个影响微软Windows的高危漏洞(CVE-2026-20805)加入其已知被利用漏洞目录。该漏洞可导致内存信息泄露,帮助攻击者绕过安全防护。微软发布1月安全更新修复112个漏洞。CISA要求联邦机构于2月3日前完成修复。 2026-1-14 11:45:13 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
U.S. CISA adds a flaw in Microsoft Windows to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Windows vulnerability, tracked as CVE-2026-20805 (CVSS Score of 8.7), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Microsoft Patch Tuesday security updates for January 2026 release 112 CVEs affecting Windows, Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. Including third-party Chromium fixes, the total rises to 114 vulnerabilities.
One of these flaws, tracked as CVE-2026-20805 (CVSS score of 5.5), is actively exploited in attacks in the wild, while two others are labeled as publicly known at release. CVE-2026-20805 is a Windows Desktop Window Manager flaw that lets attackers leak small pieces of memory information. While it does not directly run malicious code, the leaked data can help attackers bypass security protections and make more serious exploits work.
“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” reads the advisory. “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.”
This weakness shows how even limited information leaks can play a key role in full system compromise.
Microsoft did not share details about the attacks exploiting this vulnerability.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 3, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
如有侵权请联系:admin#unsafe.sh