CVE-2026-48568: Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows Secure Boot allows an attacker who already holds administrative privileges on a local machine to bypass the Secure Boot security feature entirely. The vulnerability is exploited locally and requires no network access or victim interaction, though it does require an account with high privileges. Successful exploitation lets an attacker load unsigned or untrusted boot components, undermining the chain of trust from firmware through the operating system loader. A patched-image rebuild at the fix versions is available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-48568 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including Microsoft Security Response Center advisories. Coverage extends to custom-built images that include affected Windows base layers across all affected version ranges.
AvailableHarborGuard can score this CVE at CVSS 7.9 (HIGH) and weight it against each environment's compliance policy, escalating severity where boot-integrity or supply-chain controls are a policy requirement. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailablePatched-image rebuilds at fix versions 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and 10.0.19044.7417 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test pass, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
An administrator or other high-privilege account is needed to exploit this vulnerability; standard unprivileged accounts are not sufficient.
- Victim interactionNot required
No action from another user or victim is required; the attacker operates entirely on their own session.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.
Blast Radius
- An attacker loads unsigned or otherwise untrusted boot components, bypassing Secure Boot enforcement and breaking the firmware-to-OS chain of trust.
- Confidential data protected by boot-time integrity checks (such as BitLocker keys derived from TPM measurements) becomes readable to the attacker.
- Persistent, low-level implants or bootkits can be installed that survive OS reinstallation and are invisible to OS-level security tooling.
- Because the scope is Changed (S:C in the CVSS vector), the compromise extends beyond the initially vulnerable component and can affect the broader system trust boundary.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-48568 is active the moment the advisory enters upstream feeds, and any customer image built on an affected Windows 10 or Windows 11 base layer is flagged automatically, including internally built images. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the applicable fix version, execute a regression test run, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy flags boot-integrity or supply-chain risk as a priority control, HarborGuard routes the finding to the designated owner inbox for manual review before any automated action is taken. Customers who have not yet applied the upstream patches should treat any container or VM image derived from affected Windows base versions as untrusted from a boot-integrity standpoint until rebuilt at a fix version.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C