CVE-2026-20941

Published Jan 13, 2026

Last updated 5 months ago

CVSS high 7.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-20941 is a local privilege escalation vulnerability found in the Host Process for Windows Tasks. This flaw stems from improper link resolution before file access, often referred to as "link following" (CWE-59). An authorized attacker with local access to the system can exploit this vulnerability to elevate their privileges. Specifically, the vulnerability can be leveraged by manipulating symbolic links and junction points, potentially through the `\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration` scheduled task, to trick the Host Process for Windows Tasks into performing unauthorized file operations. This issue affects Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025.

Description
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_11_24h2, windows_11_25h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-59

Social media

Hype score
Not currently trending

  1. The following weaponized vulnerabilities have been added to our n-day feed: - CVE-2025-61882: Oracle EBS - RCE - CVE-2026-24423: SmarterMail - RCE - CVE-2026-20941: Host Process - LPE - 0DAY-2026-0001: Visual Studio - Info Disclosure https://t.co/Nw6eZdtCs8

    @crowdfense

    26 Feb 2026

    1625 Impressions

    6 Retweets

    25 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.CVE-2026-45585
  2. Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.CVE-2026-42896
  3. Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.CVE-2026-42825
  4. Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.CVE-2026-41097
  5. Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.CVE-2026-41096

References

Sources include official advisories and independent security research.