Main Vulnerability Database SB2026041589

SB2026041589 - Information disclosure in Microsoft Windows Recovery Environment

Published: April 15, 2026

Security Bulletin ID SB2026041589

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Removal of Sensitive Information Before Storage or Transfer (CVE-ID: CVE-2026-20928)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper removal of sensitive information before storage or transfer in Windows Recovery Environment. An attacker with physical access can bypass the BitLocker Device Encryption feature on the system storage device, leading to information disclosure.

Remediation

Install update from vendor's website.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20928