CVE-2026-45588: Windows Secure Boot Protection Mechanism Failure – HIGH Severity
A weakness in Windows Secure Boot—a fundamental protection mechanism that ensures only authorized code runs during system startup—has been discovered that allows a high-privileged attacker to bypass this security feature on affected systems. The flaw affects multiple versions of Windows 10, Windows 11, and Windows Server across generations. While exploitation requires high-level access locally (such as from an administrator account), a successful bypass could allow an attacker to circumvent boot-time protections, potentially enabling persistence or further system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45588 represents a protection mechanism failure (CWE-693) in the Windows Secure Boot implementation. The vulnerability has a CVSS 3.1 score of 7.9 (HIGH) with a local attack vector, high privileges required (PR:H), and achieves high impact on both confidentiality and integrity (C:H/I:H). The attack requires no user interaction and crosses security boundaries (scope change). The flaw does not directly enable denial of service. Exploitation allows a privileged local attacker to circumvent Secure Boot protections without triggering expected security controls.
Business impact
Secure Boot bypass vulnerabilities create a path for sophisticated attackers to establish persistence mechanisms and evade detection by modifying firmware-level or boot-level components. Organizations running affected Windows versions face increased risk of stealthy post-exploitation activity if an attacker has already obtained elevated privileges. For enterprises with strict boot integrity requirements—particularly financial institutions, healthcare systems, and critical infrastructure—this vulnerability undermines a key pillar of endpoint security posture and may conflict with compliance frameworks that mandate Secure Boot enforcement.
Affected systems
The vulnerability affects a broad range of Microsoft products: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Organizations should verify their specific version and build numbers against Microsoft's official security advisory to determine precise exposure within their environment.
Exploitability
This vulnerability requires high-level privileges (administrator or system context) and local system access to exploit. It cannot be leveraged remotely or by unprivileged users. The straightforward attack surface (AC:L) and lack of user interaction requirements mean that once an attacker has elevated access, exploitation is practical. However, the privilege requirement substantially raises the bar compared to unauthenticated remote vulnerabilities. The vulnerability has not been designated as part of the Known Exploited Vulnerabilities catalog as of the latest data.
Remediation
Apply security updates from Microsoft to all affected systems. Organizations should verify the patch version numbers and deployment guidance in Microsoft's official CVE-2026-45588 security advisory. Prioritize systems in sensitive environments (domain controllers, high-value endpoints) and those with administrative exposure. For environments unable to patch immediately, restrict administrative access through credential guard, privileged access workstation (PAW) designs, and logging to detect potential exploitation attempts.
Patch guidance
Consult Microsoft's official security bulletin for CVE-2026-45588 to identify the specific KB article and patched versions for your Windows release. Patches are typically released via Windows Update; enterprises should test in a staging environment before broad deployment. Windows Server environments may require coordination with change management processes. Given the broad affected product list, conduct an inventory of all Windows 10, Windows 11, and Windows Server systems before patching to prioritize high-risk assets.
Detection guidance
Monitor for unauthorized Secure Boot policy modifications and firmware-level changes on high-value endpoints. Enable audit logging for Secure Boot status changes and examine firmware modification events (if firmware TPM logging is available). Behavioral indicators may include unexpected changes to boot configuration, kernel driver loading from unusual paths, or anomalous boot-time process execution. Endpoint detection and response (EDR) solutions should flag privilege escalation attempts combined with firmware or boot-sector modification activities.
Why prioritize this
This vulnerability merits prioritization due to its HIGH CVSS score, broad product coverage, and critical role of Secure Boot in endpoint security architecture. Although exploitation requires elevated privileges, compromise of an administrative account or system service could immediately enable Secure Boot bypass and lasting persistence. Organizations should prioritize patching systems with high administrative turnover, those exposed to supply-chain risk, or those storing sensitive credentials or data.
Risk score, explained
The 7.9 CVSS score reflects high impact on confidentiality and integrity (C:H/I:H), local-only attack vector (AV:L), and ease of exploitation once privileges are obtained (AC:L). The high privilege requirement (PR:H) prevents widespread exploitation from initial compromise but does not reduce severity for organizations already managing elevated-privilege accounts. The scope change (S:C) indicates the vulnerability affects protections beyond the vulnerable component itself, elevating business risk.
Frequently asked questions
What does 'Secure Boot bypass' mean for my organization?
Secure Boot is a firmware feature that prevents unsigned or malicious boot-level code from executing. A bypass allows an attacker with administrative rights to load unauthorized code at startup, potentially creating persistent backdoors or rootkits that survive OS reinstalls. This is particularly dangerous in high-security environments where Secure Boot enforcement is a compliance requirement.
Do I need to patch immediately if I have no administrators with untrusted access?
While risk is reduced in environments with strictly controlled administrative access and robust identity governance, insider threats and credential compromise remain realistic scenarios. Microsoft recommends patching all affected systems in a phased, tested manner aligned with your change management process. High-value systems and privileged workstations should be prioritized.
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and high-level privileges (administrator or system context). Remote exploitation is not possible; however, if an attacker gains administrative credentials through phishing, lateral movement, or other means, they can then exploit this flaw locally.
Are Windows 7 or older systems affected?
The affected products list includes Windows 10, Windows 11, and Windows Server 2012 and later. Verify your specific version and build number against Microsoft's official advisory, as patch applicability varies by release.
This analysis is based on vulnerability data published as of June 2026 and vendor advisories available at that time. Specific patch version numbers and deployment guidance should be verified directly with Microsoft's official CVE-2026-45588 security bulletin before implementation. CVSS scores and KEV status are current as of the data publication date; refer to NIST NVD and CISA's KEV catalog for the most recent updates. This content is for informational purposes and does not constitute legal, compliance, or specific remediation advice; engage qualified security and compliance personnel for your organization's environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11248HIGHChrome Navigation Bypass in Google Lens
- CVE-2026-45656HIGHWindows UEFI Protection Mechanism Bypass (CVSS 7.8)
- CVE-2026-47656HIGHWindows Boot Manager Protection Bypass – High Severity Patch Advisory
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11206MEDIUMChrome Service Worker Data Leak Vulnerability – CVSS 6.5
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling