{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20938", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-04T20:04:16.337Z", "datePublished": "2026-01-13T17:56:44.374Z", "dateUpdated": "2026-04-01T13:48:53.770Z"}, "containers": {"cna": {"title": "Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability", "datePublic": "2026-01-13T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_2H2:*:*:*:*:*:*:x64:*", "versionStartIncluding": "10.0.26200.0", "versionEndExcluding": "10.0.26200.7623"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*", "versionStartIncluding": "10.0.26100.0", "versionEndExcluding": "10.0.26100.7623"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*", "versionStartIncluding": "10.0.22631.0", "versionEndExcluding": "10.0.22631.6491"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*", "versionStartIncluding": "10.0.22631.0", "versionEndExcluding": "10.0.22631.6491"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Windows 11 version 22H3", "platforms": ["ARM64-based Systems"], "versions": [{"version": "10.0.22631.0", "lessThan": "10.0.22631.6491", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows 11 Version 23H2", "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.22631.0", "lessThan": "10.0.22631.6491", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows 11 Version 24H2", "platforms": ["ARM64-based Systems", "x64-based Systems"], "versions": [{"version": "10.0.26100.0", "lessThan": "10.0.26100.7623", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows 11 Version 25H2", "versions": [{"version": "10.0.26200.0", "lessThan": "10.0.26200.7623", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-822: Untrusted Pointer Dereference", "lang": "en-US", "type": "CWE", "cweId": "CWE-822"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:48:53.770Z"}, "references": [{"name": "Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20938"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:55:54.463334Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:28.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:55:54.463334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:33:04.337Z"}}], "cna": {"title": "Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Windows 11 version 22H3", "versions": [{"status": "affected", "version": "10.0.22631.0", "lessThan": "10.0.22631.6491", "versionType": "custom"}], "platforms": ["ARM64-based Systems"]}, {"vendor": "Microsoft", "product": "Windows 11 Version 23H2", "versions": [{"status": "affected", "version": "10.0.22631.0", "lessThan": "10.0.22631.6491", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Windows 11 Version 24H2", "versions": [{"status": "affected", "version": "10.0.26100.0", "lessThan": "10.0.26100.7623", "versionType": "custom"}], "platforms": ["ARM64-based Systems", "x64-based Systems"]}, {"vendor": "Microsoft", "product": "Windows 11 Version 25H2", "versions": [{"status": "affected", "version": "10.0.26200.0", "lessThan": "10.0.26200.7623", "versionType": "custom"}]}], "datePublic": "2026-01-13T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20938", "name": "Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-822", "description": "CWE-822: Untrusted Pointer Dereference"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_11_2H2:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "10.0.26200.7623", "versionStartIncluding": "10.0.26200.0"}, {"criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*", "vulnerable": true, "versionEndExcluding": "10.0.26100.7623", "versionStartIncluding": "10.0.26100.0"}, {"criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*", "vulnerable": true, "versionEndExcluding": "10.0.22631.6491", "versionStartIncluding": "10.0.22631.0"}, {"criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "10.0.22631.6491", "versionStartIncluding": "10.0.22631.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:48:53.770Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20938", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:48:53.770Z", "dateReserved": "2025-12-04T20:04:16.337Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-13T17:56:44.374Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*", "matchCriteriaId": "7D2B0BB9-E94A-420E-8E53-A4C1136DE73E", "versionEndExcluding": "10.0.22631.6491", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*", "matchCriteriaId": "78C4B71B-5345-4D83-A0A9-A15F783CF9A9", "versionEndExcluding": "10.0.22631.6491", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "matchCriteriaId": "208734FD-5175-4856-9D08-ED6CFF64AA14", "versionEndExcluding": "10.0.26100.7623", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "matchCriteriaId": "846261D4-ECC2-4DCB-8F8F-F27F8C99F061", "versionEndExcluding": "10.0.26100.7623", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "matchCriteriaId": "33E138A3-968B-4109-AC13-D488685F0AF2", "versionEndExcluding": "10.0.26200.7623", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "matchCriteriaId": "CC1FE5A1-3E6E-4606-899B-BF7BF3D3DD8D", "versionEndExcluding": "10.0.26200.7623", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally."}], "id": "CVE-2026-20938", "lastModified": "2026-01-16T15:47:57.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-01-13T18:16:20.980", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20938"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-822"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T08:17:53.090181+00:00", "value": {"mitigation_remediation": ["Apply Microsoft\u2019s security update for CVE\u20112026\u201120938 as soon as it becomes available.", "If a patch is delayed, disable Virtualization\u2011Based Security or the specific enclave features that access the vulnerable code paths to eliminate the attack surface.", "Implement least privilege policies to restrict the rights of user accounts that may gain local access, reducing the impact of any successful escalation.", "Regularly scan for indicators of exploitation and monitor system logs for unexpected privilege changes.", "Maintain up\u2011to\u2011date system backups to allow rapid recovery if an attack succeeds."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Microsoft Windows 11 is affected in its 23H2, 24H2, 25H2, and 22H3 releases. The vulnerability spans both x64 and ARM64 architectures for these build versions.", "description_and_impact": "An untrusted pointer dereference within Windows Virtualization-Based Security (VBS) enclaves permits an authorized attacker to elevate privileges on a local system. This flaw exploits the enclave\u2019s memory handling to bypass security checks, enabling the attacker to gain higher privileges, potentially compromising system integrity and confidentiality. The weakness is identified as CWE-822, reflecting improper validation of user-controlled data before dereferencing.", "risk_and_exploitability": "The CVSS score of 7.8 indicates moderate to high severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The flaw is not cataloged in CISA\u2019s Known Exploited Vulnerabilities list, implying no publicly available exploits at the moment. Nevertheless, the local attack vector requires an authorized attacker\u2014such as a user with foothold or existing local access\u2014to trigger the pointer attack, potentially leading to full privilege escalation on the compromised machine."}}}}, "created": "2026-04-16T08:30:29.831495+00:00", "updated": "2026-04-16T08:30:29.831505+00:00", "vendors": []}