HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8863Published Modified CNA certcc

CVE-2026-8863: CVE-2026-8863

Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
14

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A Secure Boot bypass vulnerability affects multiple UEFI SHIM bootloaders that carry valid Microsoft signatures, including products from Oracle, PC-Doctor, and Spyrus. The vulnerability is reached locally and requires low-privilege access (or administrative access to the boot process), with no user interaction needed. Successful exploitation lets an attacker execute arbitrary code before the operating system loads, completely bypassing Secure Boot integrity protections. No fix versions have been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-8863 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images that bundle affected SHIM versions. Coverage applies to all affected product and version ranges listed in the advisory.

Available
Triage

Triage is available with the CVSS 3.1 score of 7.8 (HIGH), weighted against each customer environment's compliance policy to reflect local risk tolerance. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy assignments.

Available
Patch

Because no upstream fix versions have been published for CVE-2026-8863, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating-control recommendations (described below) are surfaced automatically for affected images.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required.

  • AuthenticationRequired

    A low-privilege local account is sufficient, though the description also notes that administrative or boot-process access achieves the same result.

  • Victim interactionNot required

    No victim action is required; the attacker can carry out the exploit without any user involvement.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • Executes arbitrary code in the pre-OS boot environment, before any operating system security controls or kernel protections are loaded.
  • Bypasses UEFI Secure Boot integrity checks entirely, allowing unsigned or malicious bootloaders and kernels to run as trusted.
  • Persists implants or rootkits at the firmware/bootloader layer, where standard OS-level detection and remediation tools cannot reach.
  • Compromises confidentiality, integrity, and availability of the entire system, including all data and services running on top of the affected host.

How HarborGuard Handles This

Available on HarborGuard: images containing any of the affected SHIM versions are flagged automatically as HIGH severity findings, routed per each organization's compliance policy, and held in queue for a patched rebuild the moment upstream vendors publish a fix. Because no fix exists today, HarborGuard surfaces compensating-control guidance for each affected image: restrict boot-process access using platform firmware controls, apply the specific UEFI DBX update referenced in the advisory to block the vulnerable bootloaders at the firmware level, enforce network-policy isolation on hosts running affected images to limit lateral movement if the boot environment is compromised, and consider egress filtering to reduce attacker utility in a post-exploitation scenario. For customers who opt into auto-remediation, a patched-image rebuild, regression-test run, and PR against affected workloads will be triggered automatically once the upstream fix is published, with no manual intervention required.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / OracleLinux(7.2) shim
    0.9
  • PC-Doctor / Service Center Enterprise
    ≤ 17.0.7536.900
  • PC-Doctor / Service Center Drive Erase
    ≤ 17.0.7538.592
  • PC-Doctor / Service Center Japan
    ≤ 17.0.7539.904
  • PC-Doctor / Service Center
    ≤ 17.0.7535.900
  • PC-Doctor / Network Factory for Linux (Bootable Diagnostics)
    ≤ 6.20.7711.267
  • PC-Doctor / Factory for Linux (Bootable Diagnostics)
    ≤ 6.20.7710.267
  • Spyrus / WTGCreator
    4.2
  • Blancco UK / WhiteCanyon WipeDrive
    ≤ 8.1.3
  • baramundi software / baramundi Management Suite
    ≤ 2024R1
  • SUSE Linux / OpenSUSE shim
    0.9
  • Finland Matriculation Board / Abitti 1
    1.0.0
  • NTC IT ROSA LLC / RosaLinux
    R9
  • NTC IT ROSA LLC / RosaLinux
    R10
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References