Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
AnalysisAI
BitLocker encryption bypass in Windows Server 2012 through 2022 enables local attackers with physical access to circumvent disk encryption protections without authentication. The vulnerability affects all Server Core and standard editions across ten years of Windows Server releases. Patch available per Microsoft Security Response Center (MSRC-2026-27913). No public exploit identified at time of analysis, but the local attack vector (AV:L) with no authentication requirement (PR:N) indicates high risk in scenarios where physical device access is possible, such as lost/stolen servers or insider threats.
Technical ContextAI
BitLocker is Microsoft's full-disk encryption technology integrated into Windows Server operating systems to protect data at rest through AES encryption and Trusted Platform Module (TPM) integration. This vulnerability represents an input validation flaw (CWE-20) in the BitLocker security feature itself, where improper validation of locally-provided data allows bypass of encryption protections. The CPE data identifies affected components across Windows Server 2012 (build 6.2.9200), Server 2012 R2 (6.3.9600), Server 2016 (10.0.14393), Server 2019 (10.0.17763), and Server 2022/23H2 (10.0.20348/10.0.25398). Both standard installations and Server Core installations are vulnerable. The input validation weakness likely exists in pre-boot authentication mechanisms, recovery key handling, or volume mounting procedures where BitLocker validates credentials or system state before granting access to encrypted volumes.
RemediationAI
Apply Microsoft security updates immediately to patch the BitLocker input validation vulnerability. Fixed versions are Windows Server 2012 build 6.2.9200.26026 or later, Windows Server 2012 R2 build 6.3.9600.23132 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, and Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later. Updates are delivered through standard Windows Update channels or WSUS for enterprise environments. Until patching is complete, implement compensating controls including enhanced physical security for servers with BitLocker-encrypted volumes, restricted physical access to server rooms and data centers, chassis intrusion detection where available, and accelerated decommissioning procedures for devices removed from secure facilities. Review BitLocker recovery key storage security and audit access logs for unauthorized recovery key retrieval attempts. Complete patch deployment guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27913.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22455