Cyber Resilience

CVE-2026-20962

Medium

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0012 30.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20962 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 4.4 (Medium).

Operationally, ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809 · ≤ 10.0.19044.6809 · ≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809 · ≤ 10.0.19045.6809 · ≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491 · ≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623 · ≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623 · ≤ 10.0.26200.7623
microsoft
windows server 2019
≤ 10.0.17763.8276
microsoft
windows server 2022
≤ 10.0.20348.4648
microsoft
windows server 2022 23h2
≤ 10.0.25398.2092
microsoft
windows server 2025
≤ 10.0.26100.32230

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References