CVE-2026-20818

Description

Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* - VULNERABLE

Windows 10 version 1809

Windows 10 version 1903

Windows 10 version 1909

Windows 10 version 2004

Windows 10 version 20H2

Windows 10 version 21H1

Windows 10 version 21H2

Windows 11 version 21H2

Windows 11 version 22H2

Windows Server 2019

Windows Server 2022

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-20818 Windows Kernel Information Disclosure PoC
# Author: Security Researcher
# Note: This PoC demonstrates the vulnerability concept

import os
import sys
import subprocess

def check_vulnerability():
    """
    Check if the system is vulnerable to CVE-2026-20818
    This vulnerability allows local attackers to read sensitive information
    from Windows Kernel logs
    """
    print("[*] CVE-2026-20818 Windows Kernel Information Disclosure Check")
    print("[*] Target: Windows Kernel")
    print("[*] Vulnerability: Sensitive information insertion into log file")
    
    # Check Windows version
    try:
        result = subprocess.run(['systeminfo'], capture_output=True, text=True)
        print(f"\n[+] System Information:")
        for line in result.stdout.split('\n')[:5]:
            print(f"    {line}")
    except Exception as e:
        print(f"[-] Error gathering system info: {e}")
    
    # Check for sensitive data in common log locations
    log_paths = [
        r'C:\Windows\System32\winevt\Logs',
        r'C:\Windows\System32\config\SYSTEM',
        r'C:\Windows\Debug\mrt.log'
    ]
    
    print("\n[*] Checking accessible log files...")
    for path in log_paths:
        if os.path.exists(path):
            print(f"[+] Found: {path}")
            try:
                files = os.listdir(path)
                for f in files[:5]:
                    print(f"    - {f}")
            except PermissionError:
                print(f"    [-] Access denied")
    
    # Check for kernel debug output
    print("\n[*] Checking kernel debug settings...")
    try:
        result = subprocess.run(
            ['reg', 'query', 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Debug Print Filter'],
            capture_output=True, text=True
        )
        if result.returncode == 0:
            print("[+] Debug Print Filter found")
            print(result.stdout)
    except:
        pass
    
    print("\n[*] Mitigation: Apply Microsoft security updates")
    print("[*] Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20818")
    
    return True

if __name__ == "__main__":
    if sys.platform != "win32":
        print("[-] This PoC is designed for Windows systems only")
        sys.exit(1)
    check_vulnerability()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20818
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20818
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20818/
[4] VulDB https://vuldb.com/cve/CVE-2026-20818
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20818

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20818", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:08.810", "lastModified": "2026-01-14T20:32:15.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally."}, {"lang": "es", "value": "Inserción de información sensible en un archivo de registro en el kernel de Windows permite a un atacante no autorizado divulgar información localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "A059E609-F8D4-4246-BDAE-0AEDED1744D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4648", "matchCriteriaId": "C4AA6991-DE34-48F6-AFD3-77CEE7FBB692"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2092", "matchCriteriaId": "BA5947E0-C44C-4517-A307-DA79752F30A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "C6BE8CAC-3A47-48FC-A0FD-F0F0ADD2A9CE"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20818", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}