Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.
AnalysisAI
Windows Recovery Environment Agent improperly stores sensitive information without adequate removal, allowing physical attackers to extract confidential data and bypass security features. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2016-2025, and Server Core installations across multiple builds. Microsoft has released vendor patches to remediate the information disclosure.
Technical ContextAI
The Windows Recovery Environment (WinRE) Agent is a critical component that operates during system recovery and repair operations. It handles sensitive data such as encryption keys, credentials, or system recovery information that should be purged before storage or transfer. CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) indicates the root cause: the agent fails to sanitize or securely delete sensitive data from memory, disk buffers, or temporary storage before those resources become accessible to an attacker with physical access. The attack vector (AV:P) confirms this requires physical device access-an attacker could extract the unremoved sensitive information via direct memory access, disk forensics, or hardware-based side channels after device compromise or seizure.
RemediationAI
Install the vendor-released security update from Microsoft addressing CVE-2026-20928. Patch availability for each affected version is listed in the EUVD affected versions range above; systems should be updated to builds exceeding the upper bound of each range (e.g., Windows 11 Version 26H1 systems should reach 10.0.28000.1836 or later). Consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20928 for exact cumulative update KB numbers and download links. For systems unable to patch immediately, restrict physical access to devices and implement full-disk encryption and BIOS/firmware security measures to mitigate the risk of direct memory or storage extraction. No authenticated or unauthenticated remote workarounds are applicable given the physical-only attack vector.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22352
GHSA-wfg3-6grc-fqv3