Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
AnalysisAI
Windows Boot Loader accepts untrusted inputs for security decisions, allowing authorized local attackers to bypass security features with high confidentiality, integrity, and availability impact. This authentication bypass vulnerability (CVSS 6.7) affects Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows Server 2016, 2019, and 2022. Microsoft has released patches addressing the root cause of reliance on untrusted security-critical inputs.
Technical ContextAI
The Windows Boot Loader is a low-level firmware/boot-stage component responsible for initiating the operating system and enforcing early-stage security policies. The vulnerability stems from CWE-807 (Reliance on Untrusted Inputs in a Security Decision), a design flaw where the boot loader fails to validate or trust critical security decision inputs before enforcement. This allows an authorized local user with high privileges (PR:H in CVSS) to influence boot-time security mechanisms by providing crafted or malicious input that the loader incorrectly accepts as legitimate. The boot stage executes with maximum system privileges before normal OS protections are active, making this attack surface particularly sensitive. The local attack vector and high-privilege requirement suggest the attacker already has administrative or system-level access, but the vulnerability permits them to circumvent additional security boundaries (such as Secure Boot or other firmware-level protections) that would normally restrict their capabilities.
RemediationAI
Vendor-released patch is available. Apply the following cumulative updates or later: Windows 10 Version 1607 build 14393.9060 or later, Windows 10 Version 1809 build 17763.8644 or later, Windows 10 Version 21H2 build 19044.7184 or later, Windows 10 Version 22H2 build 19045.7184 or later, Windows Server 2016 build 14393.9060 or later, Windows Server 2019 build 17763.8644 or later, and Windows Server 2022 build 20348.5020 or later. Since this vulnerability affects the boot loader, systems may require a restart to fully apply the patch and ensure the remediation takes effect. Organizations should prioritize patching systems where high-privileged administrative accounts are shared or where insider threat risk is elevated. Full guidance and patch downloads are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0390.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22350
GHSA-crrm-44jr-89j8