CVE-2026-20935 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) found in the Windows Virtualization-Based Security (VBS) Enclave component of Microsoft Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability arises when the system dereferences a pointer that can be influenced by an untrusted source, leading to the disclosure of sensitive information. This flaw allows an unauthorized local attacker—without requiring privileges or user interaction—to access confidential data residing within the VBS enclave, a security boundary designed to protect sensitive operations and data from the rest of the operating system. The vulnerability does not impact system integrity or availability, focusing solely on confidentiality breaches. The CVSS v3.1 score of 6.2 (medium severity) reflects that the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). No known exploits have been reported in the wild, and no patches have been released at the time of publication (January 2026). The vulnerability was reserved in December 2025 and publicly disclosed shortly after. The technical root cause involves improper validation or handling of pointers within the VBS enclave, which could be exploited by an attacker with local access to leak sensitive enclave data. This could potentially expose cryptographic keys, credentials, or other protected information, undermining the security guarantees of VBS.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive information protected by Windows VBS enclaves. This could include cryptographic keys, authentication tokens, or other confidential data used in secure computing environments. Sectors such as finance, healthcare, government, and critical infrastructure that rely on Windows 11 with VBS enabled are particularly at risk. The vulnerability requires local access, so the threat is more pronounced in environments where attackers can gain physical or remote local access (e.g., via compromised endpoints or insider threats). Although the vulnerability does not allow privilege escalation or system disruption, the confidentiality breach could facilitate further attacks or data exfiltration. The absence of known exploits and patches reduces immediate risk but underscores the need for vigilance. Organizations may face regulatory and compliance challenges if sensitive data is exposed, especially under GDPR and other European data protection laws. The medium severity rating suggests moderate urgency in addressing the vulnerability to prevent potential information leaks.

1. Restrict local access to systems running Windows 11 Version 25H2 with VBS enabled by enforcing strict physical security and limiting administrative or user access to trusted personnel only. 2. Implement robust endpoint detection and response (EDR) solutions to monitor for unusual local activity that could indicate exploitation attempts targeting the VBS enclave. 3. Disable or limit the use of VBS enclaves on systems where the security benefits do not outweigh the risk or where local access cannot be tightly controlled. 4. Prepare for rapid deployment of security patches once Microsoft releases updates addressing CVE-2026-20935; test patches in controlled environments before wide deployment. 5. Conduct regular security audits and vulnerability assessments focusing on local privilege escalation and information disclosure vectors. 6. Educate users and administrators about the risks of local access vulnerabilities and enforce policies to prevent unauthorized device usage or software installation. 7. Use network segmentation to isolate critical systems and reduce the risk of lateral movement by attackers who gain local access. 8. Employ multi-factor authentication and strong credential management to mitigate the impact of any leaked credentials resulting from this vulnerability.