Description
Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
Published: 2026-04-14
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local security feature bypass in Windows BitLocker
Action: Patch Immediately
AI Analysis

Impact

Improper input validation in Windows BitLocker allows a local attacker to bypass a critical security feature. The flaw can enable manipulation or negation of the encryption safeguards protecting volumes, potentially exposing the data stored on those disks and compromising confidentiality. The weakness, classified as CWE‑20, signifies unsafe handling of input that leads to failure in enforcing protective controls.

Affected Systems

Microsoft Windows Server versions 2012, 2012 R2, 2016, 2019, 2022, and the 23H2 edition, including all Server Core installations, are affected as indicated in the advisory.

Risk and Exploitability

The CVSS base score of 7.7 reflects a moderate‑to‑high severity. Exploitation requires local presence, meaning the attacker must have user or administrative access on the affected machine to supply the malformed input. No evidence of exploitation exists in the KEV catalog and EPSS data is unavailable, suggesting limited known usage but a potentially significant impact if abused. The local attack vector and necessity for local authority imply that internal threat actors or compromised accounts pose the primary risk.

Generated by OpenCVE AI on April 14, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Windows Server security update for CVE-2026-27913 from Microsoft as listed in the Microsoft Security Update Guide
  • Verify that the patch has been successfully installed by checking the system’s update history

Generated by OpenCVE AI on April 14, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows Server 2022 23h2

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Vendors & Products Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
Title Windows BitLocker Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 23h2
Weaknesses CWE-20
CPEs cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows Server 2012 Windows Server 2012 (server Core Installation) Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2 (server Core Installation) Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:42:03.954Z

Reserved: 2026-02-24T21:35:49.686Z

Link: CVE-2026-27913

cve-icon Vulnrichment

Updated: 2026-04-15T09:08:27.122Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:58.860

Modified: 2026-04-23T14:55:32.397

Link: CVE-2026-27913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:45:03Z

Weaknesses