Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
AnalysisAI
Security feature bypass in Microsoft Windows Secure Boot allows a local attacker with high privileges to defeat the platform's boot-time integrity protections, achieving cross-scope confidentiality and integrity impact on the host. The flaw is tracked under CWE-693 (Protection Mechanism Failure) and carries a CVSS 3.1 base score of 7.9 with no public exploit identified at time of analysis. Because the scope is Changed (S:C), successful exploitation lets the attacker influence components outside the originally vulnerable security boundary - typically the trusted boot chain itself.
Technical ContextAI
Secure Boot is a UEFI-based protection mechanism that validates the cryptographic signatures of bootloaders, the Windows kernel, and early-boot drivers against keys stored in firmware (PK, KEK, db, dbx) before allowing them to execute. CWE-693 (Protection Mechanism Failure) indicates that the control intended to enforce this validation can be circumvented rather than that a cryptographic primitive itself is broken - typical instances involve flaws in policy parsing, revocation list (dbx) handling, signature verification logic, or how Windows boot components consume Secure Boot state. The scope change (S:C) in the CVSS vector is consistent with a boot-component bypass: compromise of a privileged component on the OS side translates into impact on the firmware/boot trust boundary.
RemediationAI
Patch status is best characterized as 'Patch available per vendor advisory' based on the MSRC reference; the supplied data does not include an exact fix KB or build number, so administrators should consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48568 to identify the correct cumulative update for each affected Windows SKU and deploy it through WSUS, Intune, or Windows Update for Business. Because exploitation requires high local privileges, compensating controls should focus on minimizing the population of accounts that could chain this bypass: enforce LAPS for local Administrator accounts, restrict Tier-0 admin logons to Privileged Access Workstations, and require Credential Guard plus Protected Users group membership for privileged identities (trade-off: Credential Guard breaks some legacy SSO and Kerberos unconstrained-delegation scenarios). Where attestation matters, configure TPM-backed BitLocker with PCR 7 binding and enable Device Health Attestation so a successful Secure Boot bypass would surface as a failed attestation rather than going unnoticed (trade-off: PCR 7 policies can lock users out after legitimate firmware updates and require recovery-key rotation planning). Additionally, ensure the UEFI dbx revocation list is kept current via the Windows Secure Boot DBX update mechanism so that any revoked components called out in the advisory are actually blocked at boot.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35521
GHSA-wm7m-2hvr-5m88