CVE-2026-20935
📋 TL;DR
This vulnerability allows an unauthorized local attacker to read sensitive information from Windows Virtualization-Based Security (VBS) Enclave memory through untrusted pointer dereference. It affects Windows systems with VBS enabled, potentially exposing kernel or hypervisor data to local users.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to sensitive kernel memory, hypervisor secrets, or credential data stored in VBS enclaves, leading to privilege escalation or complete system compromise.
Likely Case
Local information disclosure of protected memory regions, potentially exposing sensitive data but not direct code execution.
If Mitigated
Limited impact with proper access controls and monitoring; attacker may only access non-critical memory regions.
🎯 Exploit Status
Requires local access and ability to execute code; exploitation involves manipulating pointer dereferences in VBS enclave context.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific patch version not yet released; check Microsoft Security Update Guide
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20935
Restart Required: Yes
Instructions:
1. Check Microsoft Security Update Guide for patch availability. 2. Apply Windows Update through Settings > Update & Security > Windows Update. 3. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 4. Restart system after patch installation.
🔧 Temporary Workarounds
Disable VBS Feature
windowsDisable Virtualization-Based Security if not required, eliminating the vulnerable component.
bcdedit /set hypervisorlaunchtype off
Restart system
Restrict Local User Privileges
windowsImplement least privilege access controls to limit local code execution capabilities.
🧯 If You Can't Patch
- Disable VBS feature if not required for security compliance
- Implement strict local access controls and monitor for suspicious memory access patterns
🔍 How to Verify
Check if Vulnerable:
Check if VBS is enabled: Run 'msinfo32' and check 'Virtualization-based security' status under System Summary.Check Version:
wmic os get caption, version, buildnumberVerify Fix Applied:
Verify Windows Update history shows the CVE-2026-20935 patch installed and check VBS status remains functional.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unauthorized memory access attempts
- Event ID 4656 (handle request) with VBS-related objects
Network Indicators:
- No network indicators - local-only vulnerability
SIEM Query:
EventID=4656 AND ObjectName LIKE "%VBS%" OR ProcessName LIKE "%vbs%"