CVE-2026-20806
Type Confusion in Windows COM Allows Local Information Disclosure
Publication date: 2026-04-14
Last updated on: 2026-04-24
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_server_2019 | to 10.0.17763.8644 (exc) |
| microsoft | windows_server_2022 | to 10.0.20348.5020 (exc) |
| microsoft | windows_server_2022_23h2 | to 10.0.25398.2274 (exc) |
| microsoft | windows_server_2025 | to 10.0.26100.32690 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves access of a resource using an incompatible type, also known as 'type confusion', within Windows COM (Component Object Model).
It allows an authorized attacker to exploit this type confusion to disclose information locally on the affected system.
How can this vulnerability impact me? :
The vulnerability can lead to local information disclosure by an authorized attacker.
This means sensitive information could be exposed to someone with limited privileges on the system, potentially compromising confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authorized attacker to disclose information locally due to type confusion in Windows COM.
Such information disclosure could potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.
However, the provided information does not specify the exact nature or sensitivity of the disclosed information or the direct compliance implications.