Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Claude for Chrome Flaw Exposes Gmail, Docs, Calendar Data
July 14, 2026
Critical Vulnerability in AsyncAPI npm Packages Exposes Users to Attack
July 14, 2026
Critical FortiSandbox CVE-2023-34981 Exposes VNC Server to Attackers
July 14, 2026
Home/CyberSecurity News/Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot
CyberSecurity News

Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot

Key Takeaways A critical vulnerability has been discovered in several Microsoft-signed UEFI shim bootloaders, some over a decade old. This flaw allows attackers to completely bypass UEFI Secure Boot...

Sarah simpson
Sarah simpson
July 14, 2026 4 Min Read
3 0

Key Takeaways

  • A critical vulnerability has been discovered in several Microsoft-signed UEFI shim bootloaders, some over a decade old.
  • This flaw allows attackers to completely bypass UEFI Secure Boot on virtually any UEFI-based machine, regardless of the operating system.
  • Exploitation enables the deployment of malicious UEFI bootkits even when Secure Boot is active.
  • Two CVEs (CVE-2026-8863 and CVE-2026-10797) track the issues, and Microsoft has released a dbx update to revoke the vulnerable shims.

Decade-Old UEFI Shim Flaw Undermines Secure Boot

An alarming vulnerability has come to light, revealing that specific Microsoft-signed UEFI shim bootloaders, some dating back as far as 2011, possess critical flaws that permit a complete bypass of UEFI Secure Boot. This exposure affects nearly all UEFI-enabled systems, irrespective of the installed operating system.

Table Of Content

  • Key Takeaways
  • Decade-Old UEFI Shim Flaw Undermines Secure Boot
  • The Mechanics of the Bypass
  • Vulnerability Tracking and Remediation
  • What You Should Do

Researchers at ESET uncovered that these vulnerable shims, all identified as version 0.9 or earlier, were digitally signed by Microsoft’s “Microsoft Corporation UEFI CA 2011” certificate. Despite containing known, exploitable weaknesses, these binaries have remained trusted components within the boot process for years.

The implications are severe: an attacker leveraging these shims can execute arbitrary, untrusted code during the crucial boot phase. This capability paves the way for deploying sophisticated malicious UEFI bootkits, such as Bootkitty, HybridPetya, or BlackLotus, even on systems where Secure Boot is fully enabled and configured.

Crucially, the threat extends beyond machines running specific affected software or Linux distributions. An adversary can introduce their own copy of a vulnerable shim to any system that recognizes Microsoft’s third-party UEFI certificate, effectively turning a secure system into a vulnerable one.

The Mechanics of the Bypass

UEFI shim bootloaders serve as an essential intermediary. Microsoft signs these first-stage components once, enabling various Linux distributions to boot successfully under Secure Boot without requiring each vendor to embed unique keys into every motherboard. The shim’s role is to then transfer trust to a second-stage bootloader, typically GRUB 2, using vendor-managed certificates.

The core problem lies in the age of many of these shims. They lack contemporary anti-revocation mechanisms, specifically the proper enforcement of the Machine Owner Key denylist (MokListX) and Secure Boot Advanced Targeting (SBAT). Both of these critical protections were introduced long after the vulnerable binaries were originally signed.

This deficiency means an attacker can pair an outdated shim with a GRUB 2 binary that has been separately revoked or is known to be vulnerable. The old shim, unaware of modern revocation lists, will simply fail to reject the malicious GRUB 2 component. The exploitation method mirrors a Bring Your Own Vulnerable Driver (BYOVD) attack, where the malicious shim and GRUB 2 pair can be placed directly onto the EFI System Partition and executed before the operating system even begins to load.

Vulnerability Tracking and Remediation

Two distinct CVE identifiers have been assigned to formally track these critical issues:

  • CVE-2026-8863: This identifier addresses the primary shim-bypass vulnerability reported to CERT/CC.
  • CVE-2026-10797: This covers a decade-old flaw in the shim’s revocation check mechanism, where it incorrectly reads the signature size from the PE structure. This allows attackers to completely circumvent dbx/MokListX revocation.

CERT/CC’s official vulnerability note confirms that the affected shims primarily originate from version 0.9 and earlier of the open-source shim project. These vulnerable components are found across various platforms, including PC-diagnostics tools, numerous Linux distributions, and other UEFI utilities.

ESET reported its findings to CERT/CC in February 2026. Following a period of coordination, Microsoft took action, revoking all 11 identified vulnerable shim binaries through a dbx update released on June 9th, 2026, as part of their Patch Tuesday rollout.

Once this update is applied, Secure Boot firmware will prevent the loading of any flagged shim versions by checking their SHA-256 Authenticode hashes against the forbidden signature database. It is important to note that all UEFI systems with Microsoft’s third-party UEFI signing enabled are exposed, though Windows 11 Secured-core PCs offer some inherent protection as this option is disabled by default.

What You Should Do

Security teams and end-users must approach the deployment of this patch with caution to prevent potential boot failures.

  • Deployment Order: Crucially, deploy the updated authorized signature database (db) first, and only then apply the dbx revocation list. Reversing this order can lead to systems rejecting legitimate, signed bootloaders.
  • Windows Systems: Windows users should receive the dbx update automatically through standard Patch Tuesday channels.
  • Linux Users: Linux users should actively check for updates via the Linux Vendor Firmware Service (LVFS) and verify their revocation status using the uefi-dbx-audit script.
  • Enterprise Testing: Enterprises should conduct thorough testing of the update on non-critical hardware before initiating a broad rollout. Improper deployment order can render systems unbootable.
  • Verification: Administrators can utilize PowerShell audit scripts to confirm that the necessary SHA-256 hashes are correctly present in their dbx variable.

This incident highlights a persistent challenge within the UEFI signing ecosystem: a lack of visibility. Many shims signed before 2017, predating the establishment of the shim-review transparency process, remain largely unaccounted for. This suggests that additional forgotten, exploitable binaries could still be trusted on systems globally, posing an ongoing risk.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

xAI Grok CLI Exposed Git Repos and .env Secrets on Cloud Storage

Next Post

Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot
July 14, 2026
xAI Grok CLI Exposed Git Repos and .env Secrets on Cloud Storage
July 14, 2026
Salesforce Fixes Critical OAuth Flaw Allowing Persistent Data Access
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us