Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Use of uninitialized resource in Windows Boot Manager allows an unauthorized attacker to bypass a security feature with a physical attack.
AnalysisAI
Windows Boot Manager contains an uninitialized resource vulnerability (CWE-908) that allows unauthorized attackers to bypass security features through physical access to affected systems. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2016/2019/2022/2025. While the CVSS score of 4.6 reflects the physical attack vector requirement and information disclosure impact, the authentication bypass nature comb
Technical ContextAI
The vulnerability stems from use of an uninitialized resource in the Windows Boot Manager, which is responsible for managing the early boot process and security features such as Secure Boot and measured boot. CWE-908 (Use of Uninitialized Resource) occurs when code attempts to use a resource-in this case likely memory or a security-related state variable-before it has been properly initialized with a safe default value. This uninitialized state in the Boot Manager allows an attacker with physical access to manipulate the boot process and bypass authentication or security enforcement mechanisms. The Boot Manager's privileged position in the system startup sequence means that compromising its integrity can lead to complete system security bypass before the operating system kernel even loads.
RemediationAI
Vendor-released patches are available for all affected Windows versions. Users should apply the cumulative updates specified for each version: Windows 10 Version 1607 requires update to 10.0.14393.9060 or later, Version 1809 to 10.0.17763.8644 or later, Version 21H2 to 10.0.19044.7184 or later, Version 22H2 to 10.0.19045.7184 or later; Windows 11 Version 22H3/23H2 to 10.0.22631.6936 or later, Version 24H2 to 10.0.26100.32690 or later, Version 25H2 to 10.0.26200.8246 or later, Version 26H1 to 10.0.28000.1836 or later; Windows Server 2016 to 10.0.14393.9060 or later, Server 2019 to 10.0.17763.8644 or later, Server 2022 to 10.0.20348.5020 or later (or 10.0.25398.2274 for 23H2 Edition), Server 2025 to 10.0.26100.32690 or later. Patches should be deployed via Windows Update or WSUS. As a compensating control, organizations should enforce strong physical security measures to restrict direct hardware access to systems, including secure boot environments, BIOS/UEFI password protection, and hardware TPM attestation where available. Microsoft patch guidance and additional advisory details are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26175.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22412
GHSA-hxjp-pw3h-w6qr