CVE-2026-20936 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The flaw exists in the Windows Network Driver Interface Specification (NDIS), a core networking component responsible for managing network drivers and communication. The vulnerability allows an authorized attacker with physical access to the device to perform an out-of-bounds read, meaning the attacker can read memory locations outside the intended buffer boundaries. This can lead to disclosure of sensitive information residing in adjacent memory areas. The attack vector requires physical presence (AV:P) and low privileges (PR:L), but no user interaction (UI:N) is needed. The scope is unchanged (S:U), and the impact is limited to confidentiality (C:H), with no impact on integrity or availability. The CVSS 3.1 base score is 4.3, indicating a medium risk. No known exploits have been reported in the wild, and no official patches or mitigations have been published yet. The vulnerability is relevant mainly for legacy systems still running Windows 10 Version 1607, which is an older release no longer supported by mainstream updates. The physical attack requirement limits remote exploitation, but environments where attackers can gain physical access to devices are at risk of information leakage through this flaw.

The primary impact of CVE-2026-20936 is unauthorized disclosure of sensitive information due to out-of-bounds memory reads in the NDIS component. This can compromise confidentiality by exposing data that should remain protected, such as cryptographic keys, passwords, or other sensitive information stored in memory. Since the vulnerability requires physical access and low privileges, it is less likely to be exploited remotely or in large-scale automated attacks. However, in environments where devices are physically accessible—such as public terminals, shared workstations, or devices in insecure locations—attackers could leverage this flaw to extract sensitive data. The lack of impact on integrity and availability means the vulnerability does not allow modification or disruption of system operations. Organizations relying on legacy Windows 10 Version 1607 systems are at risk, especially if these systems handle sensitive data and are deployed in physically accessible environments. The absence of known exploits reduces immediate risk but does not eliminate the need for mitigation due to potential future exploitation.

1. Upgrade affected systems to a supported and fully patched version of Windows 10 or later, as Windows 10 Version 1607 is outdated and no longer receives security updates. 2. Restrict physical access to devices running the vulnerable version by implementing strict physical security controls such as locked rooms, secure cabinets, or access badges. 3. Employ full disk encryption and memory protection technologies to reduce the risk of sensitive data exposure even if physical access is obtained. 4. Monitor and audit physical access logs to detect unauthorized attempts to access devices. 5. Disable or restrict network interfaces and services that are not required to minimize the attack surface related to NDIS. 6. If upgrading is not immediately possible, consider isolating vulnerable devices from sensitive networks and data to limit potential damage. 7. Stay alert for official patches or security advisories from Microsoft and apply them promptly once available. 8. Conduct regular security assessments and penetration tests focusing on physical security and memory disclosure risks.