CVE-2026-20868 · Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS)

01 · The Real Story

This is a booby-trapped service hatch, not a building-wide master key

CVE-2026-20868 is a heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) that can lead to remote code execution. Microsoft published it on 2026-01-13 with CVSS 8.8 and the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. NVD shows affected Windows builds spanning legacy and current releases, including Windows 10 1607 through 22H2, Windows 11 23H2 through 25H2, and Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025, with fixed build cutoffs such as 10.0.14393.8783, 10.0.17763.8276, 10.0.19044.6809, 10.0.19045.6809, 10.0.22631.6491, 10.0.26100.7623, 10.0.26200.7623, 10.0.20348.4648, 10.0.25398.2092, and 10.0.26100.32230.

The vendor score is technically defensible in a lab because unauthenticated network-triggered RCE in a privileged Windows service is always ugly. In the real world, though, two big brakes matter: RRAS is an optional role/service rather than a universal exposure, and Microsoft's own scoring says UI:R, which means this is not a clean wormable edge-service bug. Add no KEV listing, very low EPSS, and no public exploit chain visible in official references, and the practical enterprise priority lands below a generic HIGH.

"Serious on exposed RRAS gateways, but too role-specific and interaction-dependent to keep the vendor's 8.8 in most estates."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable RRAS endpoint

The attacker first needs a Windows host that actually exposes RRAS functionality, typically a VPN or routing gateway. In practice this means identifying systems with the RemoteAccess role/service enabled and reachable over the relevant VPN or routing paths; a Shodan-style census or internal asset inventory does this, but there is no evidence this CVE is broadly exploitable across ordinary Windows desktops.

Conditions required:

Target runs an affected Windows build
RRAS is installed or enabled
The RRAS-facing protocol surface is reachable from the attacker's network position

Where this breaks in practice:

RRAS is an optional role, not present or enabled on most Windows endpoints
Microsoft notes the RemoteAccess service is disabled by default
Many enterprises terminate remote access on dedicated appliances or cloud VPNs, not Windows RRAS

Detection/coverage: Good CMDB and role inventory should catch most of this population. External attack-surface tools can find internet-facing VPN endpoints, but they will not reliably fingerprint this specific CVE.

STEP 02

Reach the vulnerable code path with interaction

Microsoft's vector includes UI:R, so the exploit chain is not a pure blind packet-spray. The attacker likely needs an operator or system action that causes RRAS to process attacker-controlled input, such as interacting with a malicious peer, connection, or crafted network flow; weaponization here would be a custom packet generator or rogue VPN endpoint rather than a one-click worm.

Conditions required:

Attacker can present crafted input to RRAS
A user, admin, or RRAS workflow performs the required interaction

Where this breaks in practice:

User interaction sharply narrows reachable victims compared with classic pre-auth edge RCE
Modern admin workflows, MFA, and network policy can block or reduce untrusted peer establishment
No public exploit module is referenced in official records

Detection/coverage: Network sensors may catch anomalous VPN negotiation or malformed RRAS traffic, but scanner coverage for the interaction-dependent trigger is likely weak.

STEP 03

Trigger the heap overflow in RRAS

Once the vulnerable parser or handler is reached, a crafted input can corrupt heap state inside the RRAS process. A realistic weapon would be a custom harness using protocol-aware fuzzing or a bespoke exploit client, because there is no public Metasploit or GitHub exploit referenced by NVD.

Conditions required:

Malformed input reaches the vulnerable RRAS code path
Target build is below the fixed build threshold

Where this breaks in practice:

Reliability on modern Windows heap behavior can be non-trivial
RRAS protocol variation across deployments may make exploitation brittle
Middleboxes, IPS, or protocol restrictions may sanitize or block malformed traffic

Detection/coverage: Crash telemetry, Windows Error Reporting, and EDR process-fault alerts can catch failed attempts. Traditional vulnerability scanners will mostly infer exposure from versioning rather than prove exploitability.

STEP 04

Land code execution in a high-privilege service

Successful exploitation would execute in the RRAS service context, which is operationally powerful because RRAS sits on a network chokepoint. That makes the blast radius meaningful on the relatively small set of systems that do run RRAS: credential relay, traffic interception, lateral movement, and gateway disruption are all plausible follow-on actions.

Conditions required:

Exploit succeeds without crashing the service irrecoverably
Attacker can run follow-on payloads on the compromised host

Where this breaks in practice:

EDR on Windows Server often detects post-exploitation behavior even when the memory corruption itself is missed
Gateway hosts are frequently more tightly monitored than ordinary servers

Detection/coverage: EDR and Windows eventing should be strong for the post-exploitation stage: suspicious child processes, service crashes, memory tampering, and outbound beaconing from svchost-hosted service contexts are all high-signal.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in authoritative sources reviewed. Not listed in CISA KEV as of the catalog page consulted.
Proof-of-concept availability	No public exploit repo or exploit module is referenced in NVD. NVD does reference Vicarius detection and mitigation scripts, which suggests defender tooling exists, but not a public weaponized exploit.
EPSS	`0.00209` from the user-supplied intel, which is very low in absolute terms and argues against near-term mass exploitation pressure.
KEV status	No. No KEV due date applies because the CVE is not in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector readout	`AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` means remote, easy-to-trigger in principle, no auth needed, but user interaction required. That `UI:R` is the biggest reality check against treating this like a wormable edge-service RCE.
Exposure population	RRAS is an optional Remote Access / VPN / Routing role, and Microsoft states the `RemoteAccess` service is disabled by default. This materially shrinks the exposed population versus ubiquitous Windows components.
Affected versions	NVD lists Windows 10 1607, 1809, 21H2, 22H2; Windows 11 23H2, 24H2, 25H2; Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025.
Fixed versions	NVD gives the first non-vulnerable builds as `10.0.14393.8783`, `10.0.17763.8276`, `10.0.19044.6809`, `10.0.19045.6809`, `10.0.22631.6491`, `10.0.26100.7623`, `10.0.26200.7623`, `10.0.20348.4648`, `10.0.25398.2092`, and `10.0.26100.32230`. For older server lines such as 2008/2012 families, use the Microsoft update guidance and your servicing channel because those often rely on cumulative servicing or extended support backports.
Scanning and exposure data	No authoritative internet-wide count for this CVE was found in primary sources. The practical exposure proxy is whether you have any hosts with the Windows Remote Access role or `RemoteAccess` service enabled and reachable from untrusted networks.
Disclosure and attribution	Published 2026-01-13 by Microsoft. No public researcher attribution or acknowledgment was visible in the accessible official records reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.2/10)

The decisive factor is that this bug does not behave like a broadly reachable, no-click edge RCE: Microsoft's own vector says UI:R, and RRAS is an optional role that many enterprises simply do not expose. That combination collapses both reachable population and exploitation convenience, which is why this lands in MEDIUM despite the ugly theoretical impact.

HIGH Vendor metadata, affected versions, and fixed build thresholds

MEDIUM Practical exploitability downgrade driven by `UI:R` and RRAS deployment rarity

LOW Exact interaction trigger mechanics, because Microsoft has not publicly documented the exploit path in accessible detail

Why this verdict

Baseline starts at 8.8 HIGH because unauthenticated network RCE in a Windows service is severe on paper.
First downward adjustment: optional role exposure. RRAS is a niche Windows role compared with SMB, RDP, or HTTP stacks, and Microsoft documents RemoteAccess as disabled by default, so the exposed population is much smaller than the CVSS baseline assumes.
Second downward adjustment: user interaction required. UI:R means this is not a spray-and-pray worm candidate; it implies a narrower trigger path that many modern controls and workflows will never hit.
Third downward adjustment: no exploitation pressure. There is no KEV listing, no public in-the-wild reporting in authoritative sources reviewed, and the supplied EPSS is very low.
Residual upward pressure remains because a successful hit lands on a gateway-class host with meaningful network position and likely high privileges.

Why not higher?

If this were UI:N on an always-on, internet-facing service, it would stay HIGH or higher without much debate. But requiring user interaction and depending on a non-default Windows role are two compounding brakes that materially reduce both reach and attacker reliability.

Why not lower?

This is still remote code execution against a Windows networking service, not a cosmetic bug or a local-only issue. On the subset of organizations that do expose RRAS gateways, compromise of that host can have outsized blast radius because it sits directly in the remote-access path.

05 · Compensating Control

What to do — in priority order.

Inventory RRAS immediately — Identify all systems with the Windows Remote Access role or RemoteAccess service enabled, then tag which are internet-facing. For a MEDIUM verdict there is no mitigation SLA, but do this now anyway because you cannot prioritize what you cannot see.
Restrict untrusted reachability — Limit RRAS exposure to required source IP ranges, VPN peers, and administrative networks. Where business allows, remove direct internet exposure or place strict edge ACLs in front of RRAS; this is the highest-value compensating control until the vendor patch is applied within the remediation window.
Disable unused VPN protocols — Use Microsoft guidance to turn off unneeded RRAS protocols and legacy options, especially anything retained only for backward compatibility. Reducing protocol surface cuts the number of code paths an attacker can drive before you remediate.
Harden gateway monitoring — Increase EDR sensitivity and alerting on RRAS hosts for service crashes, suspicious child processes, and unusual outbound connections from service contexts. This helps catch exploit attempts or post-exploitation behavior while you work through patching.
Patch exposed RRAS first — Apply the Microsoft security update to externally reachable RRAS hosts before the rest of the affected Windows population. Under the MEDIUM bucket there is no mitigation SLA, so go straight to the remediation window, but exposed gateways should still be treated as the front of the queue.

What doesn't work

Generic perimeter AV signatures do not reliably stop protocol-level memory-corruption attempts in RRAS.
MFA helps protect VPN logon abuse, but it does not remediate a vulnerability in the RRAS service itself if the vulnerable parser is reached before or outside authentication.
Relying only on enterprise vulnerability scanners is weak here because they will mostly flag versions, not prove whether the RRAS role is enabled or the vulnerable interaction path is reachable.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host you want to verify, from an elevated PowerShell session. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-cve-2026-20868.ps1; local admin is recommended because the script reads OS version data and service configuration for RemoteAccess.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-cve-2026-20868.ps1
# Purpose: Determine likely patch state for CVE-2026-20868 on a local Windows host.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

$ErrorActionPreference = 'Stop'

function Get-OsInfo {
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    [pscustomobject]@{
        ProductName   = [string]$cv.ProductName
        DisplayVersion= [string]$cv.DisplayVersion
        ReleaseId     = [string]$cv.ReleaseId
        CurrentBuild  = [int]$cv.CurrentBuildNumber
        UBR           = [int]$cv.UBR
        BuildLabEx    = [string]$cv.BuildLabEx
    }
}

function Get-ServiceState {
    try {
        $svc = Get-CimInstance Win32_Service -Filter "Name='RemoteAccess'"
        return [pscustomobject]@{
            Present    = $true
            State      = [string]$svc.State
            StartMode  = [string]$svc.StartMode
        }
    } catch {
        return [pscustomobject]@{
            Present    = $false
            State      = 'Absent'
            StartMode  = 'Absent'
        }
    }
}

function Compare-Build {
    param(
        [int]$CurrentBuild,
        [int]$CurrentUBR,
        [int]$FixedBuild,
        [int]$FixedUBR
    )
    if ($CurrentBuild -lt $FixedBuild) { return -1 }
    if ($CurrentBuild -gt $FixedBuild) { return 1 }
    if ($CurrentUBR -lt $FixedUBR) { return -1 }
    if ($CurrentUBR -gt $FixedUBR) { return 1 }
    return 0
}

function Get-Threshold {
    param([pscustomobject]$Os)

    $pn = $Os.ProductName
    $dv = $Os.DisplayVersion
    $rb = $Os.ReleaseId
    $build = $Os.CurrentBuild

    switch ($build) {
        14393 { return @{ Name='Windows 10 1607 / Server 2016'; FixedBuild=14393; FixedUBR=8783 } }
        17763 { return @{ Name='Windows 10 1809 / Server 2019'; FixedBuild=17763; FixedUBR=8276 } }
        19044 { return @{ Name='Windows 10 21H2'; FixedBuild=19044; FixedUBR=6809 } }
        19045 { return @{ Name='Windows 10 22H2'; FixedBuild=19045; FixedUBR=6809 } }
        20348 { return @{ Name='Windows Server 2022'; FixedBuild=20348; FixedUBR=4648 } }
        22631 { return @{ Name='Windows 11 23H2'; FixedBuild=22631; FixedUBR=6491 } }
        25398 { return @{ Name='Windows Server 2022 23H2'; FixedBuild=25398; FixedUBR=2092 } }
        26100 {
            if ($pn -match 'Server 2025') {
                return @{ Name='Windows Server 2025'; FixedBuild=26100; FixedUBR=32230 }
            } else {
                return @{ Name='Windows 11 24H2'; FixedBuild=26100; FixedUBR=7623 }
            }
        }
        26200 { return @{ Name='Windows 11 25H2'; FixedBuild=26200; FixedUBR=7623 } }
        default { return $null }
    }
}

try {
    $os  = Get-OsInfo
    $svc = Get-ServiceState
    $thr = Get-Threshold -Os $os

    Write-Host ('Host OS      : {0}' -f $os.ProductName)
    Write-Host ('Display Ver  : {0}' -f ($(if ($os.DisplayVersion) { $os.DisplayVersion } else { $os.ReleaseId })))
    Write-Host ('Build        : {0}.{1}' -f $os.CurrentBuild, $os.UBR)
    Write-Host ('RemoteAccess : present={0} state={1} startmode={2}' -f $svc.Present, $svc.State, $svc.StartMode)

    if (-not $thr) {
        Write-Host 'UNKNOWN - OS build not in local threshold map; check Microsoft guidance for this platform.'
        exit 2
    }

    Write-Host ('Threshold    : {0} fixed at {1}.{2}' -f $thr.Name, $thr.FixedBuild, $thr.FixedUBR)

    $cmp = Compare-Build -CurrentBuild $os.CurrentBuild -CurrentUBR $os.UBR -FixedBuild $thr.FixedBuild -FixedUBR $thr.FixedUBR

    if ($cmp -lt 0) {
        Write-Host 'VULNERABLE - build is below the published fixed threshold for CVE-2026-20868.'
        if ($svc.Present -and $svc.StartMode -eq 'Disabled') {
            Write-Host 'Note: RemoteAccess is disabled, which reduces exposure, but the host is still below the patch level.'
        }
        exit 1
    } elseif ($cmp -ge 0) {
        Write-Host 'PATCHED - build meets or exceeds the published fixed threshold for CVE-2026-20868.'
        exit 0
    } else {
        Write-Host 'UNKNOWN - unable to compare current build to threshold.'
        exit 2
    }
}
catch {
    Write-Host ('UNKNOWN - {0}' -f $_.Exception.Message)
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull an inventory of every host with the Windows Remote Access role or RemoteAccess service, split out anything internet-facing, and patch those first. Because this reassessment lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for the general population, but do not hide behind that on exposed RRAS gateways: apply edge restrictions immediately where feasible and complete patching of exposed RRAS systems as your first remediation tranche, with the rest of affected builds closed inside the noisgate remediation SLA of <= 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.