CVE-2026-20935 is a vulnerability identified in Microsoft Windows 11 version 22H3, specifically within the Virtualization-Based Security (VBS) Enclave component. The vulnerability is classified under CWE-822, which pertains to untrusted pointer dereference. This flaw occurs when the VBS Enclave improperly handles pointers from untrusted sources, leading to the dereferencing of invalid or malicious pointers. Such behavior can result in the disclosure of sensitive information to an unauthorized local attacker. The attack vector is local, requiring no privileges (PR:N) and no user interaction (UI:N), indicating that any local user can exploit the vulnerability without elevated rights or prompting. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability, meaning attackers can potentially read sensitive data but cannot modify or disrupt system operations. The scope is unchanged (S:U), so the impact is confined to the vulnerable component without affecting other system components. The CVSS v3.1 base score is 6.2, reflecting a medium severity level. No known exploits have been reported in the wild, and no patches have been released as of the publication date (January 13, 2026). The vulnerability was reserved in early December 2025, indicating recent discovery. The lack of patches means organizations must rely on mitigating controls until updates are available. The vulnerability is significant because VBS Enclave is designed to protect sensitive operations and data through hardware virtualization and isolation, so any information disclosure here undermines security assurances provided by VBS.

The primary impact of CVE-2026-20935 is unauthorized local disclosure of sensitive information within Windows 11 version 22H3 systems that have VBS enabled. This can lead to leakage of confidential data that may be used for further attacks or to compromise system security. Since the vulnerability does not affect integrity or availability, it does not allow attackers to modify system state or cause denial of service. However, information disclosure can facilitate privilege escalation or lateral movement in complex attack scenarios. Organizations with multi-user environments or where untrusted users have local access are at higher risk. The impact is particularly relevant for enterprises and government agencies relying on VBS for enhanced security. The absence of known exploits reduces immediate risk, but the medium severity and potential for sensitive data leakage necessitate proactive measures. The vulnerability could undermine trust in VBS-based protections, affecting security posture and compliance requirements.

Until official patches are released, organizations should implement specific mitigations to reduce exposure to CVE-2026-20935. First, restrict local access to Windows 11 22H3 systems with VBS enabled by enforcing strict user account controls and limiting physical or remote console access to trusted personnel only. Employ endpoint detection and response (EDR) solutions to monitor for suspicious local activity that may indicate exploitation attempts. Disable or limit the use of VBS Enclave features if feasible and if the security trade-offs are acceptable, as this may reduce the attack surface. Maintain up-to-date system inventories to identify affected devices and prioritize them for patching once updates become available. Conduct regular security awareness training emphasizing the risks of local access attacks. Additionally, implement application whitelisting and least privilege principles to minimize the ability of untrusted users to execute arbitrary code or access sensitive components. Monitor Microsoft security advisories closely for patch releases and apply them promptly. Finally, consider network segmentation to isolate critical systems and reduce the likelihood of local attackers gaining access to vulnerable endpoints.