CVE-2026-45656: UEFI Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows UEFI allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows UEFI Secure Boot allows a locally authenticated attacker to bypass the Secure Boot security feature. The vulnerability is exploited locally and requires only a low-privilege account, with no network access or victim interaction needed. Successful exploitation lets an attacker load unsigned or malicious boot components, undermining the integrity guarantees that Secure Boot provides. Patched-image rebuilds at the listed fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-45656 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including Microsoft advisories. Coverage extends to custom-built images that bundle affected Windows components, not just official base images.
AvailableHarborGuard scores this CVE at CVSS 7.8 (HIGH) and applies per-environment compliance policy weighting to surface it in the right priority queue. Routing to the appropriate team inbox within each customer organization is handled automatically based on the policies each org has configured.
AvailablePatched-image rebuilds at the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and later Windows 11 equivalents) are available on HarborGuard for environments running affected versions. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
A low-privilege local account is sufficient; the attacker does not need administrator or system-level credentials to trigger the bypass.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can execute the exploit entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race windows, or memory-layout requirements on the attacker.
Blast Radius
- Attacker loads unsigned or otherwise untrusted boot components, bypassing the chain-of-trust validation that UEFI Secure Boot enforces at startup.
- Attacker persists malicious code below the operating system layer, making it invisible to OS-level endpoint detection and surviving OS reinstalls.
- Attacker gains full control over system integrity checks, enabling subsequent privilege escalation or installation of a bootkit.
- Confidentiality, integrity, and availability of the host are all fully compromised once Secure Boot enforcement is defeated.
How HarborGuard Handles This
Available on HarborGuard: detection for this HIGH-severity Secure Boot bypass is matched against customer images the moment the advisory is ingested, covering both standard Windows base images and any custom images that layer affected Windows components. For environments running affected Windows versions, patched-image rebuilds at the fix versions listed in the advisory are available immediately. For customers who opt into auto-remediation, the typical flow is a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the rebuilt image is staged and the finding is routed to the designated team inbox for manual review and promotion. Because this vulnerability requires local access and a valid low-privilege account, compensating controls such as restricting interactive logon rights, enforcing application allowlisting, and auditing local account provisioning can reduce exposure while a patch window is scheduled.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C