Description
Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Assess Impact
AI Analysis

Impact

An execution path in the Windows kernel can cause an error message to reveal sensitive data. The flaw arises when the kernel generates an error that leaks information, enabling an attacker with local privileges to gain access to details that should remain confidential. The vulnerability is classified under CWE-209, which describes improper error handling that exposes sensitive data. No additional outcome such as privilege escalation or denial of service is indicated by the available information.

Affected Systems

Microsoft Windows 11 versions 23H2, 24H2, 25H2, 22H3 and Microsoft Windows Server 2022 and 2025, including the 23H2 (Server Core) edition. These include both arm64 and x64 builds for desktop and server configurations.

Risk and Exploitability

The CVSS score of 5.5 places the vulnerability in the medium severity range, while the EPSS indicator of less than 1% suggests that exploitation is currently unlikely. The flaw can be exploited only by a user who is already authorized on the target machine, meaning that attackers require local access or existing user privileges to trigger the kernel error. The fact that it is not listed in the CISA KEV catalog further indicates that there is no known public exploitation or widespread active use of this vulnerability.

Generated by OpenCVE AI on April 16, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2026-20838, which addresses the kernel error handling flaw. The update is listed on the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20838.
  • Reboot the affected systems to ensure the new kernel code is loaded and the patch takes effect.
  • Verify after patching that local error logs no longer contain sensitive data and conduct a local privilege integrity check to confirm that no unintended information exposure remains.

Generated by OpenCVE AI on April 16, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.
Title Windows Kernel Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-209
CPEs cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:35.110Z

Reserved: 2025-12-03T05:54:20.376Z

Link: CVE-2026-20838

cve-icon Vulnrichment

Updated: 2026-01-13T19:36:37.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:12.153

Modified: 2026-01-15T15:15:51.933

Link: CVE-2026-20838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses