CVE-2026-48575: Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows Secure Boot allows a local, authenticated attacker to bypass the Secure Boot security feature entirely. The vulnerability is reached locally and requires an existing high-privilege account on the affected machine; no network exposure is needed. Successful exploitation lets an attacker load unsigned or tampered bootloaders and boot-level code, undermining the integrity guarantees Secure Boot is designed to enforce. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from Microsoft's advisory feed and matched against customer container images and base-image layers within minutes of publication, including custom-built Windows-based images. Any image whose base layer carries an affected Windows version (10.0.14393.x through the respective fix thresholds) is flagged automatically in the pipeline.
AvailableHarborGuard scores this vulnerability at CVSS 7.9 HIGH using the v3.1 vector and weights it against each environment's configured compliance policy, surfacing it with appropriate priority for boot-integrity-sensitive workloads. Routing rules within each customer organization direct the finding to the inbox or ticketing queue defined for high-severity OS-level issues.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, or the corresponding Windows 11 fix builds) becomes available on HarborGuard for images confirmed to carry an affected base layer. For customers who opt into auto-remediation, the platform triggers a rebuild, runs regression tests against the updated image, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
An admin or otherwise privileged account on the local system is needed to trigger the bypass.
- Victim interactionNot required
No action from another user or administrator is required once the attacker has local privileged access.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Attacker loads an unsigned or tampered bootloader, bypassing Secure Boot's chain-of-trust validation at startup.
- Tampered boot-level code executes before the OS kernel, giving the attacker a position that persists across reboots and survives most OS-level defenses.
- Integrity assurances for measured boot and attestation flows are invalidated, because the Secure Boot chain can no longer be trusted as a root of trust.
How HarborGuard Handles This
Available on HarborGuard: detection runs against all images carrying Windows base layers as soon as the advisory is ingested, which typically happens within minutes of Microsoft publication. For environments running an affected version, a patched-image rebuild at the appropriate fix build becomes available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression-test run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this vulnerability requires a privileged local session, organizations that cannot immediately apply the patch may reduce exposure by tightening local administrator access controls and auditing privileged session grants in affected environments, while HarborGuard continues tracking the advisory for any superseding guidance.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C