CVE-2026-20928

Medium

Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker…

secure@microsoft.com·CWE-212·Published 2026-04-14

CVSS

4.6

EPSS

0.00

KEV

Exploits

Vendor statements (1)

msrc.microsoft.com

cve.orgen

191 chars

Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	4.6	—	—	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
3.1	Secondary	NVD	4.6	0.9	3.6	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N