Skip to main content

Windows Secure Boot EUVDEUVD-2026-35524

| CVE-2026-48575 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-09 secure@microsoft.com GHSA-w4hq-xj64-h4pm
7.9
CVSS 3.1 · NVD
Temporal: 6.9
Share

Severity by source

NVD PRIMARY
7.9 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CIRCL (temporal)
6.9 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:47 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.9

DescriptionCVE.org

Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

AnalysisAI

Secure Boot bypass in Windows allows a local attacker with high privileges to defeat the platform's boot-time integrity protection mechanism, breaking the chain of trust that prevents unauthorized bootloaders and pre-OS code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 due to scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Successful exploitation undermines a foundational anti-tamper control and can enable persistent pre-OS implants such as bootkits.

Technical ContextAI

Secure Boot is a UEFI-based protection that validates the cryptographic signatures of bootloaders, option ROMs, and the OS loader against a database of trusted keys (db/dbx) before they are allowed to execute, anchoring the Windows boot chain to a hardware root of trust. CWE-693 (Protection Mechanism Failure) indicates the control itself fails to enforce its intended policy - typically because a check is missing, can be skipped, or trusts attacker-influenced state - rather than a memory-corruption or injection bug. In Windows this layer integrates with components such as the Windows Boot Manager, BitLocker measurements, VBS/HVCI, and the dbx revocation list shipped through Windows Update; a bypass at this layer therefore weakens every downstream defense that assumes a verified boot.

RemediationAI

Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48575 to all affected Windows systems; exact fix build numbers per SKU are listed on that page and should be cited from there rather than guessed. Because Secure Boot fixes frequently ship in two stages (an OS-side code update followed by a dbx/UEFI revocation that must be explicitly enabled), administrators should confirm whether this CVE requires deploying an updated UEFI revocation list (dbx) and follow Microsoft's staged enablement guidance to avoid bricking dual-boot or older recovery media. Compensating controls until patched include enforcing BitLocker with TPM+PIN so an attacker who bypasses Secure Boot cannot transparently access disk contents, requiring physical security and tamper-evident seals on high-value endpoints, restricting local administrator membership via LAPS and tiered admin to minimize the PR:H prerequisite, and monitoring measured-boot/TPM PCR values through Device Health Attestation to detect boot-chain tampering - each of these reduces but does not eliminate exposure, and BitLocker with PIN in particular adds user-experience cost.

Share

EUVD-2026-35524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy