CVE-2026-32220
Improper Access Control in Windows VBS Enclave Enables Local Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_server_2025 | to 10.0.26100.32690 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves improper access control in the Windows Virtualization-Based Security (VBS) Enclave. It allows an authorized attacker to locally bypass a security feature within the system.
How can this vulnerability impact me? :
An authorized attacker exploiting this vulnerability could bypass certain security features on a Windows system using VBS Enclave. This could lead to unauthorized actions or changes that compromise the integrity of the system, potentially allowing the attacker to perform harmful operations despite existing security controls.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to apply the security updates provided by Microsoft for Windows Virtualization-Based Security (VBS) Enclave as soon as they are available.
Since the vulnerability allows an authorized attacker to bypass a security feature locally, ensuring that only trusted users have high privilege access and applying principle of least privilege can help reduce risk.