Skip to main content

Windows Secure Boot EUVDEUVD-2026-35521

| CVE-2026-48568 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-09 secure@microsoft.com GHSA-wm7m-2hvr-5m88
7.9
CVSS 3.1 · NVD
Temporal: 6.9
Share

Severity by source

NVD PRIMARY
7.9 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CIRCL (temporal)
6.9 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:49 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.9

DescriptionCVE.org

Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

AnalysisAI

Security feature bypass in Microsoft Windows Secure Boot allows a local attacker with high privileges to defeat the platform's boot-time integrity protections, achieving cross-scope confidentiality and integrity impact on the host. The flaw is tracked under CWE-693 (Protection Mechanism Failure) and carries a CVSS 3.1 base score of 7.9 with no public exploit identified at time of analysis. Because the scope is Changed (S:C), successful exploitation lets the attacker influence components outside the originally vulnerable security boundary - typically the trusted boot chain itself.

Technical ContextAI

Secure Boot is a UEFI-based protection mechanism that validates the cryptographic signatures of bootloaders, the Windows kernel, and early-boot drivers against keys stored in firmware (PK, KEK, db, dbx) before allowing them to execute. CWE-693 (Protection Mechanism Failure) indicates that the control intended to enforce this validation can be circumvented rather than that a cryptographic primitive itself is broken - typical instances involve flaws in policy parsing, revocation list (dbx) handling, signature verification logic, or how Windows boot components consume Secure Boot state. The scope change (S:C) in the CVSS vector is consistent with a boot-component bypass: compromise of a privileged component on the OS side translates into impact on the firmware/boot trust boundary.

RemediationAI

Patch status is best characterized as 'Patch available per vendor advisory' based on the MSRC reference; the supplied data does not include an exact fix KB or build number, so administrators should consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48568 to identify the correct cumulative update for each affected Windows SKU and deploy it through WSUS, Intune, or Windows Update for Business. Because exploitation requires high local privileges, compensating controls should focus on minimizing the population of accounts that could chain this bypass: enforce LAPS for local Administrator accounts, restrict Tier-0 admin logons to Privileged Access Workstations, and require Credential Guard plus Protected Users group membership for privileged identities (trade-off: Credential Guard breaks some legacy SSO and Kerberos unconstrained-delegation scenarios). Where attestation matters, configure TPM-backed BitLocker with PCR 7 binding and enable Device Health Attestation so a successful Secure Boot bypass would surface as a failed attestation rather than going unnoticed (trade-off: PCR 7 policies can lock users out after legitimate firmware updates and require recovery-key rotation planning). Additionally, ensure the UEFI dbx revocation list is kept current via the Windows Secure Boot DBX update mechanism so that any revoked components called out in the advisory are actually blocked at boot.

Share

EUVD-2026-35521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy