CVE-2026-48570: Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows Secure Boot allows a local attacker with administrative privileges to bypass the Secure Boot security feature entirely. The vulnerability is exploited locally and requires no network access, but the attacker must already hold a high-privilege account on the target system. Successful exploitation lets the attacker load unsigned or malicious boot-level code, undermining the chain of trust that Secure Boot is designed to enforce. Patched-image rebuilds at the available fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-48570 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built Windows-based container images. Any image whose base OS version falls within the affected range is flagged automatically.
AvailableHarborGuard scores this CVE at 7.9 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine escalation priority. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline workflow.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and corresponding Windows 11 builds) becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationRequired
An admin or otherwise privileged account on the local system is needed to trigger the bypass.
- Victim interactionNot required
No victim action such as opening a file or clicking a link is required; the attacker operates entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or memory-layout requirements.
Blast Radius
- The attacker disables Secure Boot enforcement, allowing unsigned or attacker-controlled bootloaders and drivers to execute before the OS loads.
- Boot-level persistence mechanisms such as bootkits become installable, surviving OS reinstalls and standard endpoint-detection scans.
- High confidentiality impact means the attacker can read protected boot-level secrets and credentials stored in hardware-backed enclaves or TPM-sealed storage.
- High integrity impact means the attacker can tamper with the boot chain, injecting arbitrary code that runs with full pre-OS privileges on every subsequent system start.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-48570 is matched against customer images automatically within minutes of CVE publication, covering base images and custom Windows container builds across all registered registries and pipelines. Where compliance policy permits, HarborGuard can rebuild affected images at the patched OS versions and, for customers with auto-remediation enabled, open a pull request against affected workloads after a regression run completes (median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation-enabled environments). Because a Secure Boot bypass of this class operates below the OS layer, HarborGuard also surfaces this CVE in the policy-violation dashboard so that security teams can prioritize host-level patching of the underlying Windows installations in addition to updating container base images. For environments where immediate patching is blocked by change-control windows, compensating controls such as restricting local administrative account access and enabling Credential Guard to limit credential exposure are surfaced as advisory notes alongside the finding.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C