Skip to main content

UEFI SHIM Bootloader EUVDEUVD-2026-35791

| CVE-2026-8863 HIGH
2026-06-09 certcc GHSA-4hqv-6cp5-4rq9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 21:20 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
7.8 (HIGH)
CVE Published
Jun 09, 2026 - 18:10 nvd
HIGH 7.8
CVE Published
Jun 09, 2026 - 18:10 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Multiple version of UEFI SHIM bootloaders are vulnerable to SecureBoot bypass through lack of enforcement and validation SBAT. The following authenticode signatures are impacted by this disclosure AE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961 - Spyrus WTGCreator version 4.2 FD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5 - Baramundi Management Suite up to 2024R1 - A0DE9333442C1BF9349A460141AE5E80F911955C6506040FA3D021BF6C1AE3E4 WhiteCanyon WipeDrive versions 8.0.0 through 8.1.3. 95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06 - Finland Matriculation Exam Abitti 1 version 1.0.0 236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B - NTC IT Rosa R9, R10 8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963 - PC-Doctor Service Center 15, 16

AnalysisAI

SecureBoot bypass affecting multiple third-party UEFI SHIM bootloaders allows local attackers with low privileges to circumvent boot integrity due to missing SBAT (Secure Boot Advanced Targeting) enforcement and validation. Impacted signed binaries span PC-Doctor Service Center, Spyrus WTGCreator, WhiteCanyon WipeDrive, Baramundi Management Suite, Finland's Abitti 1 exam environment, and NTC IT Rosa R9/R10. CVSS is 7.8 (local, low privileges) and SSVC indicates no known exploitation with total technical impact, while no public exploit identified at time of analysis.

Technical ContextAI

UEFI SHIM is a Microsoft-signed first-stage bootloader used by Linux distributions and bootable utilities to chain to vendor-signed bootloaders while remaining trusted under Microsoft's UEFI Secure Boot CA. SBAT (Secure Boot Advanced Targeting) is the revocation mechanism that embeds component-and-version metadata into signed binaries so SHIM can refuse to chain-load outdated, vulnerable components without exhausting the limited DBX revocation space. The listed authenticode hashes correspond to SHIM builds shipped inside diagnostic, imaging, MDM, and exam-lockdown products that either omit SBAT metadata or fail to validate the SBAT policy, enabling chain-loading of revoked or malicious components. While no CWE is assigned, the root cause class is improper enforcement of a security policy (CWE-693-style control failure) at the firmware-to-OS trust boundary identified by CPEs across PC-Doctor, Spyrus, Blancco/WhiteCanyon, Baramundi, the Finland Matriculation Board, and Rosa.

RemediationAI

Patch availability is per-vendor: contact each affected product vendor (PC-Doctor, Spyrus, Blancco, Baramundi, the Finland Matriculation Board, NTC IT Rosa) for a SHIM build that ships and enforces correct SBAT metadata; specific patched versions beyond the upper-bound vulnerable versions listed in EUVD are not independently confirmed in the provided data. Track coordinated guidance via CERT/CC VU#616257 (https://kb.cert.org/vuls/id/616257) and Microsoft's CVE-2026-8863 advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8863), and once vendor-released patches are confirmed apply them and then push the corresponding SBAT revocation update (e.g., via fwupd/LVFS or Windows servicing) so revoked SHIMs cannot be re-staged. Compensating controls while waiting for fixes: remove the vulnerable SHIM binaries (by authenticode hash) from imaging, recovery, and bootable-USB workflows; restrict physical and administrative access to the EFI System Partition and to USB boot on managed endpoints; enforce BIOS/UEFI admin passwords and disable booting from removable media in firmware - note that disabling USB boot will break legitimate imaging/diagnostic workflows for the very products listed, so coordinate with the teams that rely on PC-Doctor, WipeDrive, and Baramundi tooling.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP6-CHOST-BYOS Not-Affected
SLES15-SP6-CHOST-BYOS-Aliyun Not-Affected
SLES15-SP6-CHOST-BYOS-Azure Not-Affected
SLES15-SP6-CHOST-BYOS-EC2 Not-Affected

Share

EUVD-2026-35791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy