Skip to main content

Windows Boot Manager CVE-2026-47656

| EUVDEUVD-2026-35582 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-09 secure@microsoft.com GHSA-jqmx-x9xp-cx7q
7.9
CVSS 3.1 · NVD
Temporal: 6.9
Share

Severity by source

NVD PRIMARY
7.9 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CIRCL (temporal)
6.9 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:51 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.9

DescriptionCVE.org

Protection mechanism failure in Windows Boot Manager allows an authorized attacker to bypass a security feature locally.

AnalysisAI

Security feature bypass in Microsoft Windows Boot Manager enables an authorized local attacker with high privileges to defeat a protection mechanism during the boot process, with scope change extending impact beyond the initial security boundary. The flaw carries a CVSS 7.9 rating reflecting high confidentiality and integrity impact, and no public exploit identified at time of analysis. The scope-changed nature suggests the bypass undermines a trust boundary such as Secure Boot or BitLocker pre-boot integrity.

Technical ContextAI

Windows Boot Manager (bootmgr/bootmgfw.efi) is the UEFI/BIOS-stage component that loads the Windows kernel and enforces pre-OS security guarantees including Secure Boot signature validation, BitLocker volume unlock decisions, and Measured Boot TPM attestation. CWE-693 (Protection Mechanism Failure) indicates that a designed security control either fails to activate, can be circumvented, or is incorrectly enforced - in boot-stage code this commonly maps to weaknesses in signature verification logic, policy parsing, or trusted variable handling that allow an attacker to subvert the chain of trust before the OS kernel and its defenses load.

RemediationAI

Patch status: Patch available per vendor advisory - administrators should apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47656 on the next Patch Tuesday cycle for all affected Windows builds, ensuring the update propagates to bootmgr/bootmgfw.efi on the EFI system partition. Because boot-manager fixes historically require revoking previously-signed binaries, administrators should also plan for the eventual Secure Boot DBX (forbidden signature database) update that Microsoft typically stages separately; deploying it too eagerly without verifying updated bootloaders are in place on all volumes (including recovery partitions and bootable USB media) can render systems unbootable. As a compensating control prior to patching, restrict local administrative access using LAPS and tiered admin models so that the PR:H precondition cannot be met by ordinary users, and enable BitLocker with TPM+PIN so that any tampering with the boot manager forces a recovery-key prompt that signals compromise; the trade-off is added user friction at boot.

Share

CVE-2026-47656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy