Windows Recovery Environment Agent Leaks Sensitive Data on Physical Attack

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.6

Windows Recovery Environment Agent Leaks Sensitive Data on Physical Attack

CVE-2026-20928

Summary

The Windows Recovery Environment Agent fails to properly erase sensitive information, making it vulnerable to unauthorized access via a physical attack. This could allow an attacker to gain access to sensitive data. To protect your system, ensure you're using the latest version of the Windows Recovery Environment Agent and take steps to secure your physical environment.

Original title

Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.

Original description

Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.

nvd CVSS3.1 4.6

Vulnerability type

CWE-212

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20928

Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026