Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Windows Secure Boot Certificate Expiration Security Feature Bypass

IdentifiersCVE-2026-21265CWE-295

CVE-2026-21265 is a Windows Secure Boot security feature bypass issue tied to expiration of Microsoft Secure Boot certificates originally issued in 2011 and stored in UEFI trust databases, including the KEK and DB. The affected certificates include Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, and Microsoft Windows Production PCA 2011, which are used to sign Secure Boot trust updates, third-party boot loaders and option ROMs, and the Windows Boot Manager. If devices continue relying on these expiring certificates without receiving the updated certificate material, Secure Boot trust decisions can fail or become inconsistent. Microsoft also notes that the OS certificate update protection mechanism depends on firmware components that may contain defects, causing certificate trust updates to fail or behave unpredictably. The net effect is a weakening or disruption of the Secure Boot trust chain that can permit bypass of intended boot-time trust enforcement.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation or failure to remediate can undermine Secure Boot’s ability to ensure that only trusted boot components are loaded. Systems that do not receive the updated certificate chain may lose Secure Boot protections, may stop trusting updated boot loaders or Windows Boot Manager components, and may miss future security fixes related to Secure Boot and the Windows boot chain. This increases the risk that threat actors can bypass Secure Boot protections and run untrusted or malicious code during the boot process, weakening platform integrity and boot-time malware defenses.

Mitigation

If you can’t patch tonight, do this now.

Before full remediation, identify systems that rely on the expiring 2011 Secure Boot certificates and prioritize them for controlled update rollout. Perform staged deployment with post-update verification of Secure Boot state, certificate presence, and successful boot of approved loaders. Because firmware defects may interfere with certificate trust updates, validate updates on representative hardware models before broad deployment. Reduce exposure by maintaining strict control over physical and administrative access to affected devices, monitoring for Secure Boot configuration anomalies, and avoiding ad hoc bootloader or firmware changes until the certificate update path has been tested. If compromise is suspected, perform incident response because patching or certificate refresh alone does not remediate prior boot-level tampering.

Remediation

Patch, then assume compromise.

Apply Microsoft-provided Secure Boot certificate authority updates so affected devices transition from the expiring 2011 certificates to the newer replacement certificate material, including the 2023 counterparts referenced by Microsoft. Ensure the UEFI KEK/DB trust stores are updated as required by Microsoft guidance, and validate that firmware correctly accepts and persists the trust updates. Deployment should be staged and verified carefully because firmware defects may cause update failures or inconsistent behavior. Organizations should follow Microsoft’s Secure Boot certificate expiration guidance and associated update documentation, confirm successful installation on affected Windows systems, and test bootability and Secure Boot state after rollout.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
flareio blogNews
Feb 12, 2026
From Patch to Exploit: Flare’s Intelligence on Cybercrime After January 2026 Patch Tuesday - Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime

Windows Secure Boot certificate update/expiration issue labeled as a security feature bypass; primarily a reliability/maintainability security prerequisite with minimal direct attack vector described.

Read more
upguard newsNews
Jan 21, 2026
Zero-Day Microsoft Vulnerabilities (CVE-2026-20805, CVE-2026-21265, CVE-2023-31096) | UpGuard

A Microsoft-reported critical zero-day vulnerability addressed in the January 2026 Patch Tuesday release; specific technical details are not provided in the content.

Read more
gopher securityNews
Jan 16, 2026
January 2026 Patch Tuesday: Key Updates and Critical Fixes | Quantum Safe News Center

A Secure Boot security feature bypass related to expiring Secure Boot certificates, potentially undermining the trust mechanism for firmware modules.

Read more
techrepublic com securityNews
Jan 15, 2026
Microsoft Patch Tuesday Fixes 112 Flaws, Includes SharePoint and Windows

An issue related to Secure Boot certificate expiration (certificates issued in 2011) that can cause systems to stop trusting new boot loaders or fail to receive future security updates if not updated in time; not described as immediate exploitation.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21265
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21265
MITRE CWE · CWE-295
cwe.mitre.org
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21265