CVE-2026-47656: Windows Boot Manager Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Boot Manager allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure (security feature bypass) in the Windows Boot Manager allows a local attacker with administrative privileges to circumvent boot-time security controls such as Secure Boot. The vulnerability is reached locally and requires no network exposure, but the attacker must already hold a high-privilege account on the target machine. Successful exploitation allows the attacker to undermine system integrity and confidentiality protections enforced at boot, enabling persistent tampering with the OS startup chain. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection for CVE-2026-47656 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Microsoft MSRC advisory) within minutes of publication and matched against customer images, including custom-built Windows-based container images. Any image whose Windows layer version falls within the affected ranges for Windows 10 or Windows 11 is flagged automatically.
AvailableHarborGuard triage capability scores this CVE at CVSS 7.9 (HIGH) and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and others per Windows release) is available on HarborGuard for all environments running an affected base image version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
An administrative or otherwise high-privileged account on the target system is required to exploit this vulnerability.
- Victim interactionNot required
No victim interaction is needed; the attacker can carry out the exploit entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or special environmental factors.
Blast Radius
- Reads confidential data protected by boot-time security controls, including secrets or keys that Secure Boot is intended to guard.
- Modifies the OS boot chain by injecting unauthorized bootloader or early-startup code that persists across reboots.
- Bypasses platform integrity measurements, allowing the system to boot into a compromised state that appears legitimate to remote attestation checks.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47656 is matched against customer image registries and CI pipelines within minutes of advisory ingestion, covering all Windows 10 and Windows 11 base image variants in the affected version ranges. For environments running affected images, a patched rebuild at the appropriate fix version is available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts automatic remediation, the finding is routed to the designated team inbox with CVSS scoring and policy-weighted priority so engineers can action it manually. Because this is a local-privilege, boot-level bypass, consider also reviewing which container base images include Windows Boot Manager components and whether those images run in contexts where an attacker could realistically obtain high-privilege local access.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C