Skip to main content

Microsoft CVE-2026-20928

| EUVDEUVD-2026-22352 MEDIUM
Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)
2026-04-14 microsoft GHSA-wfg3-6grc-fqv3
4.6
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
4.0 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22352
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 4.6

DescriptionCVE.org

Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.

AnalysisAI

Windows Recovery Environment Agent improperly stores sensitive information without adequate removal, allowing physical attackers to extract confidential data and bypass security features. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2016-2025, and Server Core installations across multiple builds. Microsoft has released vendor patches to remediate the information disclosure.

Technical ContextAI

The Windows Recovery Environment (WinRE) Agent is a critical component that operates during system recovery and repair operations. It handles sensitive data such as encryption keys, credentials, or system recovery information that should be purged before storage or transfer. CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) indicates the root cause: the agent fails to sanitize or securely delete sensitive data from memory, disk buffers, or temporary storage before those resources become accessible to an attacker with physical access. The attack vector (AV:P) confirms this requires physical device access-an attacker could extract the unremoved sensitive information via direct memory access, disk forensics, or hardware-based side channels after device compromise or seizure.

RemediationAI

Install the vendor-released security update from Microsoft addressing CVE-2026-20928. Patch availability for each affected version is listed in the EUVD affected versions range above; systems should be updated to builds exceeding the upper bound of each range (e.g., Windows 11 Version 26H1 systems should reach 10.0.28000.1836 or later). Consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20928 for exact cumulative update KB numbers and download links. For systems unable to patch immediately, restrict physical access to devices and implement full-disk encryption and BIOS/firmware security measures to mitigate the risk of direct memory or storage extraction. No authenticated or unauthenticated remote workarounds are applicable given the physical-only attack vector.

Share

CVE-2026-20928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy