CVE-2026-8863

Vulnerability

Multiple versions of the UEFI SHIM bootloader, primarily version 0.9 and earlier, are vulnerable to a Secure Boot bypass. This vulnerability stems from a lack of enforcement and validation of SBAT (Secure Boot Assurance) by the bootloader. The issue affects specific authenticode signatures used by various software vendors, including Spyrus WTGCreator, Baramundi Management Suite, WhiteCanyon WipeDrive, Finland Matriculation Exam Abitti, NTC IT Rosa, and PC-Doctor Service Center [1].

Exploitation

An attacker can exploit this vulnerability using a Bring Your Own Vulnerable Driver (BYOVD) technique. This involves leveraging a vulnerable shim bootloader to execute arbitrary code during the early boot phase, before the operating system fully initializes. This early execution allows the attacker to bypass Secure Boot protections by injecting malicious code into the boot process [1].

Impact

Successful exploitation of this vulnerability allows an attacker to bypass Secure Boot, a critical security feature designed to prevent unauthorized code from running during system startup. By executing arbitrary code early in the boot process, an attacker can compromise the integrity of the system, potentially leading to the installation of persistent malware, data theft, or complete system control before the operating system's security mechanisms are active [1].

Mitigation

Microsoft is mitigating this risk by adding the affected bootloaders to the Microsoft UEFI Forbidden Signature Database (DBX). Once the DBX update is applied, these bootloaders will no longer be trusted for execution during the boot process. Specific fixed versions and release dates for the affected vendor software are not yet disclosed in the available references. Users are advised to monitor for DBX updates and vendor advisories for specific patching information [1].