CVE-2024-8105
Description
A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PKfail: Insecure Platform Keys in UEFI allow attackers with compromised private keys to bypass Secure Boot and execute untrusted code.
Vulnerability
Description PKfail (CVE-2024-8105) stems from the use of hard-coded test keys, known as softkeys, in production UEFI firmware. These keys were intended only for testing but were inadvertently shipped, making their private keys accessible to attackers [1][3]. The Platform Key (PK) is meant to establish trust between the platform owner and firmware, but the use of insecure keys undermines this trust [4].
Exploitation
An attacker who obtains the compromised PK private key can sign malicious UEFI binaries as if they were trusted. This allows bypassing Secure Boot enforcement, enabling the execution of untrusted code during the boot process [1][2]. The attack does not require physical access if the key is obtained remotely (e.g., from leaked firmware images or compromised development environments).
Impact
Successful exploitation enables persistent, low-level compromise of the system. Attackers can install bootkits, modify UEFI variables, and subvert operating system security mechanisms. The vulnerability affects a wide range of devices from multiple vendors, including Acer, Dell, and Aopen, as documented in the reference [1].
Mitigation
Intel has issued a security announcement [2], and CERT/CC has published a vulnerability note [3][4]. Mitigations include updating firmware with properly generated Platform Keys from a secure hardware security module (HSM). Affected vendors are expected to provide firmware updates that replace the insecure keys.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/binarly-io/Vulnerability-REsearch/blob/main/PKfail/BRLY-2024-005.mdnvd
- kb.cert.org/vuls/id/455367nvd
- security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-072412-Security-Notice.pdfnvd
- uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.htmlnvd
- www.binarly.io/advisories/brly-2024-005nvd
- www.gigabyte.com/us/Support/Security/2205nvd
- www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2024-07-25-001.htmlnvd
- www.kb.cert.org/vuls/id/455367nvd
- www.supermicro.com/en/support/security_PKFAIL_Jul_2024nvd
News mentions
0No linked articles in our index yet.