Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.
AnalysisAI
Windows Virtualization-Based Security (VBS) Enclave in Windows 11 (versions 24H2, 25H2, 26H1) and Windows Server 2025 allows high-privileged local attackers to bypass security features through improper access control, resulting in integrity compromise without requiring user interaction. A vendor-released patch is available from Microsoft's security updates.
Technical ContextAI
Virtualization-Based Security (VBS) Enclaves in Windows leverage hardware virtualization and isolation mechanisms to create protected execution environments resistant to kernel-level compromise. The vulnerability stems from CWE-284 (Improper Access Control), indicating inadequate authorization checks within the enclave's access control mechanisms. Affected systems span multiple Windows 11 build versions (24H2, 25H2, 26H1) and Windows Server 2025 deployments, including Server Core installations. The vulnerability requires high privilege context (PR:H in CVSS vector), limiting exploitation to users or processes already operating at administrator level on the local system.
RemediationAI
Vendor-released patch: Install Microsoft security updates that increment Windows 11 Version 24H2 to build 10.0.26100.32690 or later, Windows 11 Version 25H2 to build 10.0.26200.8246 or later, Windows 11 Version 26H1 to build 10.0.28000.1836 or later, and Windows Server 2025 to build 10.0.26100.32690 or later. Apply updates through Windows Update, WSUS, or direct download from the Microsoft Security Response Center (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32220). No interim workarounds are documented; patching is the primary remediation path. Organizations should test patches in non-production environments before broad deployment to ensure compatibility with VBS-dependent applications or security tools.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22607
GHSA-m38r-h8hp-4q9w