HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45654Published Modified CNA microsoft

CVE-2026-45654: Secure Boot Security Feature Bypass Vulnerability

Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

Metrics

CVSS v3.1
7.9
Severity
HIGH
Fixed in
10.0.26100.8655
Affected Products
6

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A protection mechanism failure in Windows Secure Boot allows a locally present, privileged attacker to bypass the Secure Boot security feature. The vulnerability requires an existing admin-level account on the host and is exploited entirely at the local level with no network access needed. Successful exploitation lets the attacker load unsigned or untrusted boot components, undermining boot-integrity guarantees and enabling persistent, low-level tampering that survives reboots. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows 11 or Windows Server 2025 builds.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45654 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Windows-based container images derived from affected base layers.

Available
Triage

HarborGuard scores this vulnerability at CVSS 7.9 (High) using the published v3.1 vector and can weight that score against each customer organization's compliance policy before routing alerts to the appropriate team inbox.

Available
Patch

Patched-image rebuilds pinned to the fix versions (10.0.26100.8655, 10.0.26100.32995, 10.0.26200.8655, and 10.0.28000.2269) are available on HarborGuard for environments running affected builds. For customers who opt into auto-remediation, HarborGuard performs a rebuilt image, a regression-test run, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    An admin or otherwise privileged account on the local machine is required; standard user access is not sufficient.

  • Victim interactionNot required

    No action from another user or operator is needed to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or other environmental factors need to be satisfied.

Blast Radius

  • Attacker loads unsigned or tampered bootloaders, bypassing Secure Boot enforcement on the affected host.
  • Boot-level persistence becomes possible: malicious components injected before the OS loads survive reboots and standard OS-level defenses.
  • Integrity guarantees provided by measured boot and attestation flows are broken, making remote attestation results untrustworthy.
  • Confidentiality and availability of the running OS are not directly impacted by this specific flaw, but the bypass enables follow-on attacks that can affect both.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45654 is active the moment the CVE enters upstream feeds, with image matching covering all customer registries and pipelines including custom Windows-based images. Where compliance policy permits, patched-image rebuilds at the fixed versions are generated automatically; for customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test, and opens a PR against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Customers who cannot immediately apply the patched base image should consider restricting local admin account usage on hosts where boot-integrity guarantees are a compliance requirement, and should review attestation policies to flag hosts that can no longer produce a trusted boot measurement.

See how HarborGuard automates this

Fix available

10.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows 11 Version 26H1
    < 10.0.28000.2269 (from 1.0.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C
References