CVE-2026-20935 is a vulnerability identified in Microsoft Windows 11 Version 25H2 (build 10.0.26200.0) that affects the Virtualization-Based Security (VBS) Enclave, a security feature designed to isolate sensitive processes and data from the rest of the operating system. The vulnerability is classified under CWE-822, which refers to untrusted pointer dereference. In this context, the flaw allows an attacker with local access to the system to dereference pointers that have not been properly validated, potentially leading to the disclosure of sensitive information stored within the VBS enclave. The attack does not require any privileges or user interaction, making it easier to exploit for an attacker who already has local access. However, the attack vector is limited to local access only (AV:L), which reduces the scope of impact. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability, meaning the attacker can read sensitive data but cannot modify or disrupt system operations. The CVSS v3.1 base score is 6.2, indicating a medium severity level. No known exploits have been reported in the wild, and no patches have been published at the time of this analysis. The vulnerability was reserved in December 2025 and published in January 2026. The absence of patches means organizations must rely on mitigating controls until an official fix is released. The vulnerability highlights a weakness in pointer validation within the VBS enclave, which is critical for protecting sensitive operations such as credential storage, cryptographic keys, and other security-sensitive data. Exploitation could lead to local information disclosure, potentially aiding further attacks or privilege escalation if combined with other vulnerabilities.

For European organizations, the primary impact of CVE-2026-20935 is the potential unauthorized disclosure of sensitive information protected by the Windows VBS enclave. This could include cryptographic keys, credentials, or other sensitive data that, if exposed, might facilitate subsequent attacks such as lateral movement or privilege escalation. Organizations in sectors with high security requirements—such as finance, government, healthcare, and critical infrastructure—are particularly at risk because they often rely on VBS for enhanced security. The local access requirement limits the threat to insiders or attackers who have already compromised a system to some extent, but the lack of privilege or user interaction requirements lowers the barrier for exploitation once local access is obtained. The vulnerability does not affect system integrity or availability, so direct disruption is unlikely. However, the confidentiality breach could have significant downstream effects, including regulatory compliance issues under GDPR if personal data is exposed. The medium severity rating suggests that while the risk is not critical, it is significant enough to warrant prompt attention, especially in environments where VBS is enabled and trusted for security isolation.

1. Restrict local access: Limit physical and remote local access to systems running Windows 11 Version 25H2, especially those with VBS enabled, to trusted personnel only. 2. Monitor for patches: Continuously monitor Microsoft security advisories and apply patches promptly once released to address CVE-2026-20935. 3. Harden endpoint security: Employ endpoint detection and response (EDR) solutions to detect suspicious local activities that could indicate exploitation attempts. 4. Use application control: Implement application whitelisting to prevent unauthorized code execution that could leverage this vulnerability. 5. Network segmentation: Isolate critical systems with VBS enabled to reduce the risk of lateral movement by attackers who gain local access. 6. Audit and monitor local accounts: Regularly review local user accounts and privileges to reduce the risk of unauthorized local access. 7. Educate users: Train employees on the risks of local access attacks and enforce policies to prevent unauthorized physical or remote local access. 8. Consider disabling VBS temporarily if the risk of local access compromise is high and no patch is available, balancing security trade-offs carefully.