Skip to main content

Microsoft EUVDEUVD-2026-22455

| CVE-2026-27913 HIGH
Improper Input Validation (CWE-20)
2026-04-14 microsoft
7.7
CVSS 3.1 · NVD
Temporal: 6.7
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CIRCL (temporal)
6.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:29 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22455
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 7.7

DescriptionCVE.org

Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.

AnalysisAI

BitLocker encryption bypass in Windows Server 2012 through 2022 enables local attackers with physical access to circumvent disk encryption protections without authentication. The vulnerability affects all Server Core and standard editions across ten years of Windows Server releases. Patch available per Microsoft Security Response Center (MSRC-2026-27913). No public exploit identified at time of analysis, but the local attack vector (AV:L) with no authentication requirement (PR:N) indicates high risk in scenarios where physical device access is possible, such as lost/stolen servers or insider threats.

Technical ContextAI

BitLocker is Microsoft's full-disk encryption technology integrated into Windows Server operating systems to protect data at rest through AES encryption and Trusted Platform Module (TPM) integration. This vulnerability represents an input validation flaw (CWE-20) in the BitLocker security feature itself, where improper validation of locally-provided data allows bypass of encryption protections. The CPE data identifies affected components across Windows Server 2012 (build 6.2.9200), Server 2012 R2 (6.3.9600), Server 2016 (10.0.14393), Server 2019 (10.0.17763), and Server 2022/23H2 (10.0.20348/10.0.25398). Both standard installations and Server Core installations are vulnerable. The input validation weakness likely exists in pre-boot authentication mechanisms, recovery key handling, or volume mounting procedures where BitLocker validates credentials or system state before granting access to encrypted volumes.

RemediationAI

Apply Microsoft security updates immediately to patch the BitLocker input validation vulnerability. Fixed versions are Windows Server 2012 build 6.2.9200.26026 or later, Windows Server 2012 R2 build 6.3.9600.23132 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, and Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later. Updates are delivered through standard Windows Update channels or WSUS for enterprise environments. Until patching is complete, implement compensating controls including enhanced physical security for servers with BitLocker-encrypted volumes, restricted physical access to server rooms and data centers, chassis intrusion detection where available, and accelerated decommissioning procedures for devices removed from secure facilities. Review BitLocker recovery key storage security and audit access logs for unauthorized recovery key retrieval attempts. Complete patch deployment guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27913.

Share

EUVD-2026-22455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy