CVE-2026-20928
Improper Data Handling in Windows Recovery Environment Enables Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-24
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_10_1607 | to 10.0.14393.9060 (exc) |
| microsoft | windows_10_1607 | to 10.0.14393.9060 (exc) |
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_server_2016 | to 10.0.14393.9060 (exc) |
| microsoft | windows_server_2019 | to 10.0.17763.8644 (exc) |
| microsoft | windows_server_2022 | to 10.0.20348.5020 (exc) |
| microsoft | windows_server_2022_23h2 | to 10.0.25398.2274 (exc) |
| microsoft | windows_server_2025 | to 10.0.26100.32690 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves improper removal of sensitive information before storage or transfer, which could lead to unauthorized access to sensitive data through a physical attack.
Such unauthorized access to sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require proper handling and protection of sensitive data.
However, specific effects on compliance or regulatory requirements are not detailed in the provided information.
Can you explain this vulnerability to me?
This vulnerability involves the improper removal of sensitive information before it is stored or transferred within the Windows Recovery Environment Agent. Because of this flaw, an unauthorized attacker who has physical access to the device can bypass a security feature.
How can this vulnerability impact me? :
The vulnerability allows an attacker with physical access to bypass a security feature, potentially exposing sensitive information that should have been removed before storage or transfer. This can lead to unauthorized access to protected data.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability involves improper removal of sensitive information in the Windows Recovery Environment Agent, which allows a security feature bypass via physical attack.
To mitigate this vulnerability, it is recommended to apply any security updates or patches provided by Microsoft for the Windows Recovery Environment Agent as soon as they become available.