CVE-2026-20935

Published: Jan 13, 2026Modified: Jan 16, 2026

6.2

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.5 / Impact: 3.6

Source: secure@microsoft.com

Description

Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally.

Affected (6)

Products: Microsoft: Windows 11 23h2, Windows 11 24h2, Windows 11 25h2

3 products

Windows 11 23h2

Windows 11 24h2

Windows 11 25h2

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Microsoft Windows 11 23h2	Before 10.0.22631.6491
Microsoft Windows 11 23h2	Before 10.0.22631.6491
Microsoft Windows 11 24h2	Before 10.0.26100.7623
Microsoft Windows 11 24h2	Before 10.0.26100.7623
Microsoft Windows 11 25h2	Before 10.0.26200.7623
Microsoft Windows 11 25h2	Before 10.0.26200.7623

Related CWEs

Untrusted Pointer Dereference

The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20935

Source: secure@microsoft.com

Vendor Advisory

Timeline

No history available yet.