How is CVE-2026-48573 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): An administrative or otherwise high-privilege account on the local system is needed to reach the vulnerable boot mechanism. Victim interaction (not-required): No user interaction is required; the attacker can trigger the bypass entirely through their own session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-48573?

Attacker loads unsigned or tampered bootloaders and kernel components, bypassing firmware integrity enforcement at startup. Secure Boot policy enforcement is nullified, allowing persistent pre-OS implants or rootkits to survive reboots undetected. Confidentiality impact is high: attacker gains access to secrets and data protected by policies that assume a trusted boot chain (for example, BitLocker-adjacent protections that rely on measured boot). Data integrity is compromised: the attacker can modify boot-time configuration and persisted security policy without triggering integrity checks.

Back to search

HIGHCVE-2026-48573Published 2026-06-09Modified 2026-06-10CNA microsoft

CVE-2026-48573: Secure Boot Security Feature Bypass Vulnerability

Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

CVSS v3.1: 7.9
Severity: HIGH
Fixed in: 6.2.9200.26132
Affected Products: 20

HarborGuard Analysis

Synopsis

A protection mechanism failure in Windows Secure Boot allows a local attacker with administrative privileges to bypass the Secure Boot security feature entirely. The vulnerability is reached locally and requires no network access, but the attacker must already hold a high-privilege account on the target system. Successful exploitation lets the attacker load unsigned or tampered boot components, undermining firmware-level integrity guarantees. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Windows-based container images that carry affected OS version strings. Any image whose base layer falls within the affected version ranges is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.9 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to escalate or suppress alerts appropriately. Triage results are routed to the inbox or ticketing integration configured for the relevant team within each customer environment.

Available

Patch

Patched-image rebuilds pinned to the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and the corresponding Windows 11 fix versions) are available on HarborGuard for any environment running an affected base image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
An administrative or otherwise high-privilege account on the local system is needed to reach the vulnerable boot mechanism.
Victim interactionNot required
No user interaction is required; the attacker can trigger the bypass entirely through their own session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Attacker loads unsigned or tampered bootloaders and kernel components, bypassing firmware integrity enforcement at startup.
Secure Boot policy enforcement is nullified, allowing persistent pre-OS implants or rootkits to survive reboots undetected.
Confidentiality impact is high: attacker gains access to secrets and data protected by policies that assume a trusted boot chain (for example, BitLocker-adjacent protections that rely on measured boot).
Data integrity is compromised: the attacker can modify boot-time configuration and persisted security policy without triggering integrity checks.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched rebuilds for CVE-2026-48573 are part of the standard scan pipeline. Any Windows-based container image carrying a base OS version below the fix thresholds is flagged on the next scheduled or triggered scan. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate patched version, runs regression tests, and opens a pull request against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity findings. Where compliance policy permits automated remediation, no manual handoff is needed. For environments where auto-remediation is not enabled, the triage card surfaces the specific fix version required per affected image and links directly to the upstream Microsoft advisory. Because this vulnerability requires local administrative access, compensating controls such as restricting who holds admin rights on container host nodes and enforcing least-privilege runtime policies can reduce exposure while image updates are staged.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269

Patch commits

Secure Boot Security Feature Bypass Vulnerability

Affected packages

Microsoft / Windows 10 Version 1607
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows 10 Version 1809
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows 10 Version 21H2
< 10.0.19044.7417 (from 10.0.19044.0)
Microsoft / Windows 10 Version 22H2
< 10.0.19045.7417 (from 10.0.19045.0)
Microsoft / Windows 11 version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 24H2
< 10.0.26100.8655 (from 10.0.26100.0)
Microsoft / Windows 11 Version 25H2
< 10.0.26200.8655 (from 10.0.26200.0)
Microsoft / Windows 11 version 26H1
< 10.0.28000.2269 (from 10.0.28000.0)
Microsoft / Windows Server 2012
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 (Server Core installation)
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 R2
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2012 R2 (Server Core installation)
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2016
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2016 (Server Core installation)
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2019
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2019 (Server Core installation)
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2022
< 10.0.20348.5256 (from 10.0.20348.0)
Microsoft / Windows Server 2025
< 10.0.26100.32995 (from 10.0.26100.0)
Microsoft / Windows Server 2025 (Server Core installation)
< 10.0.26100.32995 (from 10.0.26100.0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C

References

Secure Boot Security Feature Bypass Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available