Microsoft has released security updates to address a Secure Boot bypass vulnerability affecting multiple Microsoft-signed UEFI shim bootloaders used by Linux distributions, recovery tools, and enterprise software.
The flaw, tracked as CVE-2026-8863, could allow attackers to execute malicious code before the operating system loads.
The issue was discovered by Martin Smolar of ESET and disclosed through a coordinated effort involving ESET, CERT/CC, Microsoft, and affected vendors. According to CERT/CC, numerous vendors continued shipping customized versions of the open-source shim bootloader based on outdated releases that lacked security fixes and modern revocation protections.
Shim is a small bootloader signed by Microsoft's “Microsoft Corporation UEFI CA 2011” certificate that enables Linux distributions and other third-party software to work with Secure Boot. While vulnerabilities in upstream shim versions were fixed years ago, some vendor-specific forks remained signed and trusted, creating a long-term security risk.
According to CERT/CC, attackers could exploit these bootloaders using a Bring Your Own Vulnerable Driver (BYOVD)-style technique to bypass Secure Boot and execute arbitrary code during the early boot process. Because this occurs before the operating system and security software initialize, attackers could potentially load unsigned kernel components, establish persistent malware, and evade detection by endpoint security products.
To address the issue, Microsoft is adding the affected bootloaders to the UEFI Forbidden Signature Database (DBX), which revokes trust in vulnerable boot components. Once the updated DBX is installed, the affected bootloaders will no longer be allowed to execute during startup.
Microsoft assigned CVE-2026-8863 an “Important” severity rating with a CVSS score of 7.8. The company says exploitation requires local administrator privileges or physical access.
The vulnerability affects numerous products that incorporate older shim versions, including:
- American Megatrends Incorporated (AMI)
- GIGABYTE
- Red Hat Enterprise Linux 7.2
- CentOS 7.2
- Oracle Linux 7.2
- ROSA Linux
- OpenSUSE
- Baramundi Software
- WipeDrive
- PC-Doctor Service Center
As additional vendors are evaluated, more may be added to the CERT/CC bulletin in the coming days as their exposure is confirmed.
In a security bulletin published today, GIGABYTE said its investigation found no vulnerable third-party shim bootloaders embedded in its motherboard or laptop firmware. However, the company warned that systems lacking the updated DBX revocation list may still be vulnerable if attackers boot from external media containing one of the affected binaries.
Users and administrators should install Microsoft's June 2026 security updates and any bootloader updates provided by affected vendors. CERT/CC recommends updating trusted boot components before deploying DBX revocations to avoid boot issues. Administrators can verify DBX deployment using Microsoft's Check-UEFISecureBootVariables PowerShell script on Windows or the uefi-dbx-audit utility on Linux systems.
Leave a Reply