CVE-2026-20828 is an out-of-bounds read vulnerability classified under CWE-125, found in the Windows Internet Connection Sharing (ICS) component of Microsoft Windows 10 Version 1607 (build 10.0.14393.0). This vulnerability arises when ICS improperly handles memory bounds, allowing an attacker with physical access to read memory locations outside the intended buffer. Such out-of-bounds reads can lead to unauthorized disclosure of sensitive information residing in memory, potentially exposing credentials, cryptographic keys, or other confidential data. The vulnerability does not require any privileges or user interaction, but exploitation is constrained by the necessity of physical access to the affected machine. The CVSS v3.1 base score of 4.6 reflects a medium severity, with a high impact on confidentiality but no impact on integrity or availability. The attack vector is physical (AV:P), meaning remote exploitation is not feasible. No known public exploits or patches are currently available, indicating that the vulnerability is newly disclosed and may require urgent attention from organizations still running this legacy Windows version. The vulnerability is particularly relevant for environments where ICS is enabled and physical access controls are weak.

The primary impact of CVE-2026-20828 is unauthorized disclosure of sensitive information due to out-of-bounds memory reads. This can compromise confidentiality by leaking data that could be used for further attacks, such as credential theft or escalation of privileges. Since the vulnerability requires physical access, the risk is mitigated in environments with strong physical security but remains significant in scenarios like shared workstations, kiosks, or poorly secured facilities. The lack of impact on integrity and availability means the system's operation and data modification are not directly threatened. However, information disclosure can facilitate subsequent attacks, increasing overall risk. Organizations relying on Windows 10 Version 1607 with ICS enabled, especially in sectors like government, finance, healthcare, and critical infrastructure, may face targeted attacks if physical security is compromised. The medium severity score suggests prioritization but not immediate emergency patching, especially given the absence of known exploits.

To mitigate CVE-2026-20828 effectively, organizations should: 1) Enforce strict physical security controls to prevent unauthorized access to devices running Windows 10 Version 1607. 2) Disable Internet Connection Sharing (ICS) on systems where it is not explicitly required, reducing the attack surface. 3) Apply any future security updates or patches from Microsoft promptly once available. 4) Conduct audits to identify legacy systems still running the affected Windows version and plan upgrades to supported versions with active security maintenance. 5) Use endpoint security solutions capable of detecting anomalous local activity that might indicate exploitation attempts. 6) Educate users and administrators about the risks of physical access attacks and the importance of device security. 7) Consider network segmentation to isolate vulnerable systems and limit exposure. These steps go beyond generic advice by focusing on the physical access vector and the specific ICS component involved.