CVE-2026-48578: Secure Boot Security Feature Bypass Vulnerability
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Metrics
- CVSS v3.1
- 7.9
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows Secure Boot allows a local attacker with administrative privileges to bypass the Secure Boot security feature entirely. The vulnerability is exploited locally with no network exposure required, and the attacker must already hold a high-privilege account on the target system. Successful exploitation lets the attacker undermine the boot integrity chain, enabling persistent tampering with boot components and full disclosure of protected boot-stage data. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-48578 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Microsoft's advisory channel. This coverage extends to custom-built Windows-based container images alongside images pulled from external registries.
AvailableHarborGuard surfaces this vulnerability with its CVSS v3.1 score of 7.9 (HIGH), weighted against each customer organization's compliance policy to reflect environment-specific risk thresholds. Triage routing is available to direct findings to the appropriate team or inbox within each customer org based on configured ownership rules.
AvailablePatched-image rebuilds targeting the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and 10.0.19044.7417) are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs a rebuilt image, a regression-test run, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attack vector is local (AV:L), so the attacker needs an existing shell or process on the host rather than any network path.
- AuthenticationRequired
The attacker must hold a high-privilege (administrative) account on the target system before exploitation is possible (PR:H).
- Victim interactionNot required
No action from another user is needed; the attacker can trigger the bypass entirely on their own (UI:N).
- Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- Reads protected boot-stage secrets and integrity measurements stored in Secure Boot variables, defeating confidentiality guarantees at the firmware layer.
- Modifies boot components such as bootloaders and early-load drivers, allowing persistent implants that survive OS reinstallation.
- Bypasses code-signing enforcement at boot time, permitting unsigned or revoked kernel modules and drivers to load without restriction.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-48578 is active across all customer image registries and CI pipelines, with matching against upstream Microsoft advisory data occurring within minutes of publication. For environments running affected Windows 10 or Windows 11 base images, rebuilt images at the appropriate fix version are made available automatically. For customers with auto-remediation enabled, HarborGuard triggers a rebuilt image, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the finding is routed to the configured owner inbox with full CVSS context and affected image inventory attached, so the remediation decision can be made quickly without additional research.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C