Microsoft Revokes Bootloaders That Could Bypass Secure Boot
A Secure Boot trust issue allowed several outdated Microsoft-signed bootloaders to remain trusted despite containing known vulnerabilities.
ESET researchers identified 11 legacy shim bootloaders that attackers could potentially use to bypass Secure Boot protections. The issue affects Microsoft’s bootloader trust chain and does not represent a vulnerability in Windows 11 itself.
Legacy Linux Shim Bootloaders Remained Trusted
The affected files are Microsoft-signed shim bootloaders primarily used by Linux distributions to support Secure Boot.
Researchers found 11 vulnerable binaries from shim version 0.9 or earlier. These bootloaders date back to around 2015 and contain vulnerabilities that have remained publicly known for years.
Despite their age, many systems continued to trust the bootloaders because Microsoft had signed them for use within the Secure Boot ecosystem.
Attackers Could Bring Their Own Vulnerable Bootloader
An attacker would not need to find one of the affected bootloaders already installed on a target computer.
Instead, the attacker could introduce and run a vulnerable but trusted shim. Researchers describe this method as a Bring Your Own Vulnerable Bootloader, or BYOVB, attack.
Systems that still trust the Microsoft Corporation UEFI CA 2011 certificate could allow one of the outdated shims to execute during startup.
A successful attack could weaken Secure Boot and create an opportunity to run unauthorized code before the operating system loads.
Older Shims Lack Modern Revocation Protections
The affected bootloaders predate several security mechanisms included in newer shim releases.
Secure Boot Advanced Targeting, known as SBAT, allows vendors to revoke specific bootloader generations without blocking every release. Shim version 15.3 and newer supports this protection.
The Machine Owner Key deny list arrived with shim version 0.9. Older releases may not correctly process modern SBAT metadata or enforce MOK-based revocations.
Attackers could use these limitations to avoid restrictions that updated bootloaders would normally apply.
Microsoft Revokes the 11 Bootloaders
ESET disclosed the issue to CERT/CC in February 2026.
Microsoft later revoked all 11 affected shim binaries by adding their signatures to the UEFI Forbidden Signature Database. This database prevents systems from loading boot components that vendors no longer consider trustworthy.
Microsoft first distributed the revocations through the June 2026 update KB5094126. The company also included them in the July cumulative Patch Tuesday update KB5101650.
Installing the latest cumulative Windows update should apply the relevant Secure Boot revocations on supported systems.
Secure Boot Certificates Are Also Changing
The discovery comes as Microsoft replaces several aging Secure Boot certificates.
Some existing certificates reached their 15-year mark in June 2026. Microsoft is moving supported devices to newer certificates to preserve the integrity of the Secure Boot trust chain.
The transition should reduce reliance on older signing infrastructure and help prevent outdated boot components from remaining trusted indefinitely.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages