CVE-2026-21265

MEDIUM EPSS 57.2%
Published Jan 13, 20265mo ago · Modified Jun 17, 20262w ago
6.4 CVSS 3.1
Medium
Find Similar
Published Jan 13, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.

CVSS Details

Base Score
6.4
Exploitability
0.5
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
57.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-1329

Affected Products 23

VendorProductVersionRange
microsoftwindows_10_1607* <10.0.14393.8783
microsoftwindows_10_1607* <10.0.14393.8783
microsoftwindows_10_1809* <10.0.17763.8276
microsoftwindows_10_1809* <10.0.17763.8276
microsoftwindows_10_21h2* <10.0.19044.6809
microsoftwindows_10_21h2* <10.0.19044.6809
microsoftwindows_10_21h2* <10.0.19044.6809
microsoftwindows_10_22h2* <10.0.19045.6809
microsoftwindows_10_22h2* <10.0.19045.6809
microsoftwindows_10_22h2* <10.0.19045.6809
microsoftwindows_11_23h2* <10.0.22631.6491
microsoftwindows_11_23h2* <10.0.22631.6491
microsoftwindows_11_24h2* <10.0.26100.7623
microsoftwindows_11_24h2* <10.0.26100.7623
microsoftwindows_11_25h2* <10.0.26200.7623
microsoftwindows_11_25h2* <10.0.26200.7623
microsoftwindows_server_2012*any
microsoftwindows_server_2012r2any
microsoftwindows_server_2016* <10.0.14393.8783
microsoftwindows_server_2019* <10.0.17763.8276
microsoftwindows_server_2022* <10.0.20348.4648
microsoftwindows_server_2022_23h2* <10.0.25398.2092
microsoftwindows_server_2025* <10.0.26100.32230

References 1

  • msrc.microsoft.com https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21265
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.