Security Vulnerability Report
中文
CVE-2026-20962 CVSS 4.4 MEDIUM

CVE-2026-20962

Published: 2026-01-13 18:16:24
Last Modified: 2026-01-14 19:34:12
Source: [email protected]

Description

Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:* - VULNERABLE
Windows Server 2022 (特定版本)
Windows 11 22H2 (特定版本)
Windows 10 22H2 (特定版本)
Windows Server 2019 (特定版本)
支持DRTM功能的其他Windows版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-20962 PoC - DRTM Uninitialized Resource Information Disclosure // Note: This is a conceptual PoC demonstrating the vulnerability pattern // Actual exploitation requires specific environment and privileged access #include <windows.h> #include <stdio.h> // Simulated DRTM resource access pattern typedef struct _DRTM_CONTEXT { PVOID UninitializedBuffer; // Vulnerable: uninitialized resource ULONG ResourceSize; ULONG Flags; } DRTM_CONTEXT, *PDRTM_CONTEXT; // Trigger DRTM operation with specific conditions BOOL TriggerDRTMVulnerability(PDRTM_CONTEXT Context) { // Attempt to access uninitialized resource // In vulnerable version, this reads uninitialized memory PVOID Data = Context->UninitializedBuffer; // Process and potentially leak the uninitialized data if (Data != NULL) { // Vulnerable code path: uses data without verification printf("[+] Accessing potentially uninitialized resource at %p\n", Data); // Information disclosure through various channels // (e.g., timing differences, error messages, debug output) return TRUE; } return FALSE; } int main() { printf("CVE-2026-20962 DRTM Uninitialized Resource PoC\n"); printf("Requires: High local privileges, DRTM access\n"); printf("Target: Windows DRTM component\n\n"); // This PoC demonstrates the vulnerability pattern // Actual exploitation requires kernel-level access // and specific system state conditions DRTM_CONTEXT ctx; ctx.UninitializedBuffer = NULL; // Uninitialized in vulnerable code ctx.ResourceSize = 0x1000; ctx.Flags = 0; printf("[*] Triggering DRTM operation...\n"); TriggerDRTMVulnerability(&ctx); printf("[!] This PoC is for educational purposes only.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20962", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:24.093", "lastModified": "2026-01-14T19:34:12.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally."}, {"lang": "es", "value": "Uso de recurso no inicializado en Dynamic Root of Trust for Measurement (DRTM) permite a un atacante autorizado divulgar información localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "DD4CBDAB-7626-4048-8474-B1BD9C1F3255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A6D4C631-2CC0-407C-9ACA-7C151006598C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "9CFC3200-1FAB-4AB1-A008-F703EEF3505A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "E481E93D-D86E-4B65-93E5-200327C348C8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "F720EC9F-6A33-445F-AFA1-794405737E57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "85E22F96-B552-4BBA-AFA1-85C1FC55DB32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "5ACD940D-CA6A-402B-B132-E5A66139C44F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "354AD10F-EEF4-461D-BDBB-245B97E3D420"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "7D2B0BB9-E94A-420E-8E53-A4C1136DE73E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "78C4B71B-5345-4D83-A0A9-A15F783CF9A9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "208734FD-5175-4856-9D08-ED6CFF64AA14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "846261D4-ECC2-4DCB-8F8F-F27F8C99F061"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "33E138A3-968B-4109-AC13-D488685F0AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "CC1FE5A1-3E6E-4606-899B-BF7BF3D3DD8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4648", "matchCriteriaId": "C4AA6991-DE34-48F6-AFD3-77CEE7FBB692"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.25398.2092", "matchCriteriaId": "9738ABD2-1692-4547-B4AF-8673D3F8129C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.32230", "matchCriteriaId": "1BCFDBEF-B7E3-4DE8-BAAC-F648701F6947"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20962", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.