The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a significant Microsoft Windows vulnerability, identified as CVE-2026-20805, to its Known Exploited Vulnerabilities (KEV) catalog. This action highlights that the flaw is actively being exploited in real-world attacks. The vulnerability is classified as an information disclosure flaw within the Windows Desktop Window Manager (DWM). While its Common Vulnerability Scoring System (CVSS) base score is 5.5 (Medium), its active exploitation makes it a high-priority threat. Attackers can leverage this vulnerability to leak small pieces of memory information, which, though not directly leading to code execution, can be crucial for bypassing existing security measures like Address Space Layout Randomization (ASLR) and facilitating more potent, chained attacks. Microsoft addressed CVE-2026-20805 as part of its comprehensive January 2026 Patch Tuesday updates, which collectively fixed 114 security flaws across various Windows products. In light of the ongoing threats, CISA has issued a directive (Binding Operational Directive 22-01) mandating that federal agencies remediate this vulnerability by February 3, 2026, underscoring the urgency for immediate patching. Furthermore, the Indian Computer Emergency Response Team (CERT-In) has also issued a cybersecurity alert specifically for Windows 10 and Windows 11 users in India, advising them to install the latest security updates promptly to mitigate the risk of sensitive data exposure and potential system compromise. All organizations are strongly urged to prioritize patching this and other KEV catalog vulnerabilities as part of their robust vulnerability management practices.