Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
AnalysisAI
Security feature bypass in Windows Secure Boot enables a high-privileged local attacker to circumvent boot-time integrity protections, undermining the chain of trust that prevents unauthorized firmware and bootloader code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 rating driven by scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Because Secure Boot is the foundation for downstream protections like BitLocker, Virtualization-Based Security, and Measured Boot, bypass enables persistent pre-OS implants that survive reimaging.
Technical ContextAI
Windows Secure Boot is a UEFI-based mechanism that validates the signatures of bootloaders, the Windows boot manager, and early-launch antimalware drivers against keys stored in firmware (PK, KEK, db, dbx) before allowing execution. CWE-693 (Protection Mechanism Failure) indicates the protection itself is logically defeated rather than crashed - typically through a flaw in signature validation, a trusted-but-vulnerable component in the allow-list, a TOCTOU in the verification path, or an unsanitized variable/policy that lets unsigned or revoked code load. Affected component is Microsoft's Secure Boot implementation on Windows; the only reference provided is MSRC advisory CVE-2026-45588 with no CPE strings supplied to enumerate exact builds.
RemediationAI
Apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45588 to all affected Windows systems (patch available per vendor advisory; exact KB and fix build were not provided in the input data and must be retrieved from MSRC). Because Secure Boot bypasses historically also require a UEFI dbx (forbidden signature database) update to revoke the vulnerable component, verify whether Microsoft has issued an accompanying dbx update and stage its deployment carefully - dbx updates have previously bricked dual-boot systems and older Linux distributions, so test on representative hardware first. Compensating controls while patching is in flight: restrict local administrator group membership (PR:H is required to exploit, so reducing who holds admin sharply reduces the attack surface), enforce LAPS, enable BitLocker with TPM+PIN so that an attacker with admin must still survive a reboot challenge, and monitor for unexpected changes to UEFI variables and boot configuration via endpoint telemetry.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35514
GHSA-cx87-mv7w-77j9