CVE-2026-27913
Improper Input Validation in Windows BitLocker Enables Local Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_server_2012 | r2 |
| microsoft | windows_server_2012 | * |
| microsoft | windows_server_2016 | to 10.0.14393.9060 (exc) |
| microsoft | windows_server_2019 | to 10.0.17763.8644 (exc) |
| microsoft | windows_server_2022 | to 10.0.20348.5020 (exc) |
| microsoft | windows_server_2022_23h2 | to 10.0.25398.2274 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is caused by improper input validation in Windows BitLocker. It allows an unauthorized attacker to bypass a security feature locally on the affected system.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an unauthorized attacker to bypass security features of Windows BitLocker, potentially compromising the confidentiality and integrity of your encrypted data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is important to apply the security updates provided by Microsoft for Windows BitLocker as soon as they are available.
Since the vulnerability involves improper input validation allowing a local attacker to bypass security features, ensuring that all systems are updated and that local access is restricted to trusted users can help reduce risk.