{"vuid":"VU#616257","idnumber":"616257","name":"Microsoft-signed UEFI shim bootloaders vulnerable to Secure Boot bypass","keywords":null,"overview":"### Overview\r\nMicrosoft-signed UEFI bootloaders of the open-source shim project, primarily from version 0.9 and earlier, were identified as vulnerable to Secure Boot bypass. To mitigate this risk, the affected bootloaders will be added to the Microsoft UEFI Forbidden Signature Database (DBX). Once the DBX update is applied, these bootloaders will no longer be trusted for execution during the boot process.\r\n\r\nAn attacker could exploit these vulnerable shim bootloaders using a Bring Your Own Vulnerable Driver (BYOVD)-style technique to execute arbitrary code during the early boot phase, prior to operating system initialization, thereby bypassing Secure Boot protections.\r\n\r\n### Description\r\n\r\nThe Unified Extensible Firmware Interface (UEFI) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains the \"Microsoft Corporation UEFI CA 2011\" certificate. This Microsoft certificate is widely used to sign third-party boot components intended to run under Secure Boot.\r\n\r\nThe open-source UEFI shim project is a small, signed bootloader that Microsoft signed using the \"Microsoft Corporation UEFI CA 2011\" certificate. Shim acts as a bridge between the motherboard's UEFI firmware and the operating system (typically a Linux distribution). Its purpose is to allow Linux distributions to boot with Secure Boot enabled without requiring every individual distribution's key to be built into the motherboard's NVRAM settings. In doing so, shim allows Linux distributions and other third parties to establish their own trust model through the use of Machine Owner Keys (MOKs), enabling additional bootloaders, kernels, and related components to execute within the Secure Boot chain. The shim project also introduced Secure Boot Advanced Targeting (SBAT), which provides a version-based revocation mechanism for boot components and simplifies future security updates and revocations.\r\n\r\nOver time, multiple security vulnerabilities were identified and corrected in the upstream shim project. However, a number of vendors had previously forked or customized older versions of shim for their own products and boot environments. In many cases, these vendor-specific bootloaders were not updated after vulnerabilities in the upstream project became publicly known. As a result, vulnerable bootloaders remained signed and trusted by Secure Boot systems because they had not been revoked through the Microsoft-signed DBX revocation list. This created a long-term supply chain exposure in which outdated and vulnerable boot components could still be executed on fully patched systems.\r\n\r\nResearchers from ESET identified multiple vulnerable shim bootloaders affected by these issues. The affected bootloaders will be added to Microsoft's official DBX revocation list as part of this coordinated disclosure.\r\n\r\n<table>\r\n\t<thead><tr> <th>Impacted shim bootloaders<br>\r\n\t\t[Vendor and Product Information<br>\r\n\t\tAuthenticode SHA hash<br>\r\n\t\tSHA256 file hash<br>\r\n\t\tCVE ID]<br>\r\n\t\t</th></tr>\r\n  </thead>\r\n  <tbody>\r\n    <tr><td><pre>Spyrus WTGCreator () from UEFI shim loader(0.7 (or lower))\r\nAE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961\r\n1D18DF4B15D3BC3DFFA1777A557075210DD0C53B\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>RedHat RedHat Enterprise Linux (7.2) from UEFI shim loader(0.9)\r\n7B2A3F5C96F95BD8086CE54B0825E300F9C8F11FE3401BB631B3215C8DE9EB10\r\n3F24DD838C5C9E35B104FA2F3B74AC6A5BF92FD2\r\nCVE pending from vendor</pre></td></tr>\r\n\r\n<tr><td><pre>RedHat CentOS (7.2) from UEFI shim loader(0.9)\r\nEB86FA1386FE6E4533B8B938DCC1250616D2F1C14C15E2FCF80834A161018A0A\r\nE133BE08E8AD17AC00E3C8ED215499C5F3C54E64\r\nCVE pending from vendor</pre></td></tr>\r\n\r\n<tr><td><pre>baramundi baramundi Management Suite (up to 2024R1) from UEFI shim loader(0.8)\r\nFD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5\r\n8637D7EFA23A8A5738F2E4AACB6C9919B405AA2C\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>WhiteCanyon/Blancco WipeDrive (versions 8.0.0 through 8.1.3.) from UEFI shim loader(0.7)\r\na0de9333442c1bf9349a460141ae5e80f911955c6506040fa3d021bf6c1ae3e4\r\n8A402AFCD3C23D9253BBEA08576113C63E448AD0\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>Finland's Matriculation Examination Board Abitti 1 (1.0) from UEFI shim loader(0.8)\r\n95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06\r\n8A83FA30DBF0073F33EAD298A7D5CD69A47C3A4B\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>NTC IT ROSA, LLC ROSA Linux (R10, R9) from UEFI shim loader(0.9)\r\n236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B\r\n8F9E8DB8E2C2157C2A591F2BE070FF96BFE318C7\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>Oracle America, Inc. OracleLinux (7.2) from UEFI shim loader(0.9)\r\n5E594C448760A3135B1A3A83E07A4F2E6FBE49414EF2C7CAB1CBA77F284FA63B\r\nA16136899A12AD214FA4FBA60072BA72FBAB8BCA\r\nCVE-2026-8863</pre></td></tr>\r\n\r\n<tr><td><pre>PC-Doctor, Inc. PC Doctor Service Center (15, 16) from UEFI shim loader(0.9)\r\n8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963\r\nBC01320D8FF8343B348EF8F3C947A66EB8FD9CE2\r\nCVE-2026-8863</pre></td></tr>\r\n    <tr><td><pre>OpenSuse OpenSuse Shim (10.1) from UEFI Shim loader (0.9)\r\n410260B1B6F5AF5FBEEB9EA3220658435E876CB3247126EE907A437F312DB373\r\n3CF8BEB1E2885F51CA04002425C4F3C796D105BC\r\nCVE not provided</pre>      \r\n    </td></tr>\r\n    <tr><td><pre>OpenSuse OpenSuse Shim (2.1) from UEFI Shim loader (0.9) \r\n96275DFD6282A522B011177EE049296952AC794832091F937FBBF92869028629\r\n6DB5266E80C9D51CDD54421E736DF2E6E6879A56\r\nCVE not provided</pre>      \r\n    </td></tr>\r\n\t</tbody></table>\r\n\r\n### Impact\r\nAn attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Code executed during this early boot phase may achieve persistent compromise of the platform, including the ability to load unsigned or malicious kernel components that can survive system reboots and, in some cases, operating system reinstallation. Because this activity occurs before the operating system and many security products initialize, malicious code executed through this technique may evade detection by operating system security controls and Endpoint Detection and Response (EDR) solutions.\r\n\r\n### Solution\r\n#### Apply a Patch\r\nApply the latest software updates along with latest bootloader updates as provided by your hardware or software vendor. See the Vendor Information section for details. Updated software should replace any vulnerable shim bootloaders with versions that incorporate the latest upstream security fixes and SBAT protections. Additionally, Microsoft DBX updates should be applied to all UEFI-based systems to ensure that vulnerable bootloaders can no longer be executed during the Secure Boot process.\r\n\r\n#### Recommendations for Enterprises and Developers\r\nBecause modifications to the DBX (Forbidden Signature Database) can affect system boot behavior, vendors and administrators should thoroughly test these updates before broad deployment to ensure systems remain bootable. When deploying Secure Boot updates, it is recommended the latest authorized signature database (DB) is updated before applying DBX revocations. In practice, this means updating trusted boot applications and certificates first, followed by deployment of the revocation list. Failure to follow this order may cause systems to reject newly updated boot components. Enterprises, virtualization providers, and cloud operators managing large-scale deployments should prioritize validation and deployment of these updates to prevent the execution of vulnerable or unsigned binaries during physical or virtual machine startup. Microsoft also provides DBX update files and related tooling through the following repository: [SecureBoot Objects](https://github.com/microsoft/secureboot_objects) \r\n\r\nAudit tools such as [Check-UEFISecureBootVariables](https://github.com/cjee21/Check-UEFISecureBootVariables) for Windows systems using PowerShell, and [uefi-dbx-audit](https://github.com/sei-vsarvepalli/uefi-dbx-audit/) for Linux systems, can be used to help verify that current DBX updates have been applied to UEFI-based laptops, desktops, servers, and virtual machines with Secure Boot enabled. These tools can also assist enterprise administrators in identifying revoked or vulnerable boot components present on a system. Audit and verification capabilities may vary depending on platform firmware implementation and support for revocation mechanisms such as SBAT and the newer Microsoft-specific Secure Version Numbering (SVN) enforcement.\r\n\r\n### Acknowledgements\r\nThanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8863","https://github.com/rhboot/shim/blob/main/SBAT.md","https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html","https://uefi.org/specs/UEFI/2.11/03_Boot_Manager.html","https://uefi.org/specs/UEFI/2.11/07_Services_Boot_Services.html","https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot","https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/","https://www.eset.com/us/about/newsroom/press-releases/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/","https://blogs.gnome.org/hughsie/2025/01/20/fwupd-2-0-4-and-dbxupdate-20241101/","https://github.com/microsoft/secureboot_objects","https://github.com/cjee21/Check-UEFISecureBootVariables","https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/","https://github.com/sei-vsarvepalli/uefi-dbx-audit/","https://techcommunity.microsoft.com/blog/windows-itpro-blog/updated-secure-boot-status-report-in-windows-autopatch/4517920"],"cveids":["CVE-2026-8863"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-06-09T18:10:32.157331Z","publicdate":"2026-06-09T18:10:31.658747Z","datefirstpublished":"2026-06-09T18:10:32.176646Z","dateupdated":"2026-06-09T18:50:25.722718Z","revision":3,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":204}