CVE-2026-8863
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CERT/CC

Description
Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8863
EUVD
EUVD-2026-35791
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
spyrus wtgcreator 4.2
baramundi management_suite to 2024R1 (inc)
whitecanyon wipedrive From 8.0.0 (inc) to 8.1.3 (inc)
finland_matriculation_exam abitti 1.0.0
ntc_it rosa *
pc-doctor service_center *
microsoft uefi_shim 0.9
spyrus wtgcreator *
redhat enterprise_linux *
centos centos *
baramundi management_suite *
whitecanyon blancco_wipedrive *
finland_matriculation_examination_board abitti *
ntc rosa_linux *
oracle linux *
opensuse shim *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8863 is a vulnerability in Microsoft-signed UEFI shim bootloaders, primarily versions 0.9 and earlier, that allows attackers to bypass Secure Boot protections.

An attacker with administrative privileges or the ability to modify the boot process can exploit this vulnerability using a Bring Your Own Vulnerable Driver (BYOVD) technique to execute arbitrary code during the early boot phase before the operating system loads.

The issue exists because older shim versions lack sufficient verification mechanisms like Secure Boot Advanced Targeting (SBAT), enabling malicious code to persist even after system reboots or OS reinstallation.

To mitigate this, Microsoft plans to revoke trust in these vulnerable bootloaders by adding them to the UEFI Forbidden Signature Database (DBX), preventing their execution during Secure Boot.

Impact Analysis

This vulnerability can allow an attacker with local administrative access to bypass Secure Boot protections, a critical security feature designed to ensure that only trusted software runs during the boot process.

By exploiting this, attackers can execute arbitrary code early in the boot process, potentially installing persistent malware that survives system reboots and operating system reinstallations.

This can lead to complete compromise of system integrity, confidentiality, and availability, as attackers gain control before the OS security mechanisms are active.

Detection Guidance

Detection of this vulnerability involves identifying if your system is using a vulnerable Microsoft-signed UEFI shim bootloader, primarily versions 0.9 and earlier, which lack sufficient verification mechanisms.

Since the vulnerability is related to the bootloader version and Secure Boot bypass, detection typically requires checking the shim bootloader version installed on your system and verifying if the UEFI Forbidden Signature Database (DBX) has been updated to block vulnerable bootloaders.

Specific commands are not provided in the available resources, but generally, you can check the shim version by inspecting the bootloader files or using system firmware utilities. For Linux systems, commands like `sbctl status` or checking the shim version with `shimx64.efi` file properties might help. On Windows, reviewing Secure Boot status and DBX updates via system firmware settings or Windows update logs could assist.

Mitigation Strategies

Immediate mitigation steps include applying the latest software and bootloader updates from your vendors to ensure that vulnerable shim bootloaders are replaced or patched.

Ensure that your system has the latest UEFI Forbidden Signature Database (DBX) updates installed, which Microsoft uses to revoke trust in vulnerable bootloaders and prevent their execution during Secure Boot.

Since the vulnerability requires administrative privileges or the ability to modify the boot process, restricting such access and monitoring for unauthorized changes to the bootloader or firmware settings is also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart