CVE-2026-20935: Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability
Overview
- Severity
- Medium (CVSS 6.2)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
- Category
- Information Disclosure
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2026-Jan
- Released
- 2026-01-13
- EPSS Score
- 0.03% (percentile: 9.9%)
Description
Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally.
FAQ
What type of information could be disclosed by this vulnerability?
An attacker who successfully exploited this vulnerability could view Virtual Trust Level 1 (VTL1) data from Virtual Trust 0 (VTL0) which is the least privileged level.
Affected Products (6)
Windows
- Windows 11 Version 25H2 for ARM64-based Systems
- Windows 11 Version 25H2 for x64-based Systems
- Windows 11 Version 23H2 for ARM64-based Systems
- Windows 11 Version 23H2 for x64-based Systems
- Windows 11 Version 24H2 for ARM64-based Systems
- Windows 11 Version 24H2 for x64-based Systems
Security Updates (2)
Revision History
- 2026-01-13: Information published.