CVE-2026-45588: Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows Secure Boot allows a local attacker with administrative privileges to bypass the Secure Boot security feature entirely. The vulnerability is exploited locally, meaning the attacker must already have a shell or elevated process on the affected host, and no network access or victim interaction is needed. Successful exploitation lets an attacker load unsigned or tampered boot components, undermining the integrity guarantees that Secure Boot is designed to provide. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-45588 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Windows-based container images. Any image whose base OS version falls within the affected ranges is flagged automatically.
AvailableHarborGuard scores this CVE at 7.9 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, or 10.0.19044.7417 depending on the affected base image) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
An administrative or otherwise privileged account is required to trigger the vulnerability.
- Victim interactionNot required
No victim action is needed; the attacker operates entirely on their own without requiring a user to click or open anything.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.
Blast Radius
- A successful attacker disables the Secure Boot integrity check, allowing unsigned or maliciously modified boot-stage binaries to load on the system.
- With Secure Boot bypassed, an attacker can persist a bootkit or tampered bootloader that survives OS reinstalls and is invisible to standard endpoint detection running after boot.
- Confidential data protected by policies that assume a trusted boot chain (such as BitLocker keys sealed to a TPM with Secure Boot assertions) may be exposed.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45588 is active across all connected registries and pipelines the moment the CVE was ingested, with no manual configuration required. For environments running affected Windows base images, a patched rebuild at the appropriate fix version is available. Customers with auto-remediation enabled receive a rebuilt image, an automated regression run, and a pull request opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy permits auto-remediation, no manual triage step is needed. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS context and fix-version details so engineers can apply the patch on their own schedule. Because this is a local privilege escalation against a boot-integrity mechanism rather than a remotely triggerable flaw, organizations may also consider compensating controls such as enforcing least-privilege access policies on host systems and auditing privileged account membership while patching is coordinated.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C