CVE-2026-47656: Windows Boot Manager Protection Bypass – High Severity Patch Advisory
CVE-2026-47656 is a high-severity vulnerability in the Windows Boot Manager that allows an attacker with administrator privileges to disable or circumvent a security protection mechanism on a local system. While the attacker must already have elevated permissions, once exploited, they can interfere with boot-level security controls—a critical concern because these controls are meant to prevent unauthorized system modifications. This is not currently listed as actively exploited in the wild, but it warrants prompt patching given the scope of affected Windows versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Protection mechanism failure in Windows Boot Manager allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from a protection mechanism failure (CWE-693: Incorrect Implementation of a Security-Relevant Requirement) in the Windows Boot Manager, the component responsible for system initialization before the operating system kernel loads. The CVSS 3.1 score of 7.9 (HIGH) reflects local attack vector, high confidentiality and integrity impact, and no availability impact. The attack requires high privilege (PR:H) and no user interaction. The scope change (S:C) indicates that compromising the Boot Manager can affect resources beyond the Boot Manager's security domain, such as platform integrity and secure boot guarantees. An authorized attacker can exploit this flaw to bypass intended security controls that normally restrict unauthorized boot-time modifications.
Business impact
Compromise of boot-level security controls creates a persistent threat to system integrity. An attacker with admin access who exploits this flaw can install malicious code at the firmware or bootloader level, potentially establishing persistence that survives OS reinstallation or antivirus remediation. This is particularly dangerous in high-security environments such as financial institutions, government agencies, and critical infrastructure where boot integrity is foundational to compliance (UEFI Secure Boot, Measured Boot, TPM attestation). Affected organizations must treat this as a confidentiality and integrity risk requiring urgent remediation to maintain boot chain trust.
Affected systems
This vulnerability affects a broad range of Microsoft Windows operating systems across consumer and server platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; all currently supported Windows 11 versions (23H2, 24H2, 25H2, and 26H1); and Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations running any of these versions in their environment should assume they are at risk and prioritize assessment. Extended Support Lifecycle (ESL) versions of Windows 10 remain vulnerable, as do all modern Server editions.
Exploitability
Exploitation requires an attacker to already possess administrator-level credentials on the target system—a significant but not uncommon precondition in many environments. Given this requirement, the attack surface is primarily internal: a malicious insider, an attacker who has compromised an admin account via phishing or lateral movement, or an adversary with physical access to an unlocked administrative session. Once those privileges are obtained, the actual exploitation is straightforward (AC:L), requiring no special techniques or user interaction. The lack of current KEV (Known Exploited Vulnerability) status suggests this flaw has not yet been weaponized at scale, but organizations should not rely on this as assurance.
Remediation
Microsoft has released security updates to address this vulnerability. Organizations must identify all affected systems in their environment—particularly those running Windows 10 and Windows Server editions—and deploy patches according to their change management procedures. Given the high severity and boot-level nature of the vulnerability, expedited testing and deployment is justified. For systems in restricted environments, verify patch availability from your Windows Server Update Services (WSUS) or Microsoft Update Catalog before implementation. Any delay in patching leaves these systems vulnerable to privileged account abuse.
Patch guidance
Apply the latest security updates from Microsoft for your affected Windows version. Verify patch deployment through Windows Update, WSUS, or manual download from the Microsoft Update Catalog. Testing in a non-production environment is recommended before broad rollout, particularly for server editions. Prioritize systems that run in multi-tenant environments or those managed by multiple administrators, as these carry higher risk of privileged account compromise. After patching, confirm Boot Manager functionality has not been disrupted by performing standard boot and Secure Boot verification tests. Document patch dates and versions for compliance auditing.
Detection guidance
Monitor for suspicious activity at the Boot Manager level: unusual kernel driver loads, Secure Boot policy changes, or failed Secure Boot validations. Windows event logs (System, Security) may capture boot configuration modifications if auditing is enabled. Organizations with SIEM solutions should look for Event ID 4957 (Windows Firewall configuration changes), unauthorized WMI calls to firmware configuration, or attempts to disable Device Guard/Hyper-V Code Integrity. Tools like Get-SecureBootUEFI in PowerShell can verify current Secure Boot status. However, detection of successful exploitation may be limited once boot-level changes are committed, reinforcing the importance of preventive patching.
Why prioritize this
This vulnerability merits urgent priority (P1/P2 status) for most organizations due to its combination of high CVSS score, broad platform coverage, and potential for establishing persistent, difficult-to-remediate boot-level compromises. While it requires high privilege, admin-level account compromise is a realistic threat in many networks. The Boot Manager sits at the foundation of system trust; any flaw here has outsized security implications. Organizations operating in regulated sectors (finance, healthcare, government) should treat this as a critical patching obligation.
Risk score, explained
The CVSS 3.1 score of 7.9 reflects a HIGH-severity vulnerability. The score is elevated by high confidentiality and integrity impact (C:H, I:H), a broad scope change (S:C), and local attack vector with low complexity (AV:L, AC:L). The requirement for high privilege (PR:H) prevents a maximum score but does not significantly reduce the practical risk, because administrator account compromise is a frequent consequence of successful phishing or lateral movement attacks. The absence of availability impact (A:N) keeps it below critical, but the potential for persistent, silent compromise of boot integrity warrants treating it as a critical-priority patch in practice.
Frequently asked questions
Does this vulnerability affect Windows systems with Secure Boot enabled?
Yes. While Secure Boot is a protection mechanism, this vulnerability represents a bypass—an attacker with admin privileges can exploit it to circumvent Secure Boot protections. Secure Boot alone does not prevent exploitation; patching is required regardless of Secure Boot status.
Can this vulnerability be exploited remotely, or only locally?
Only locally. The attack vector is local (AV:L), meaning the attacker must have direct access to the system or an authenticated remote session with administrative privileges. They cannot exploit it over the network without first compromising a local or domain admin account.
Is there a workaround if I cannot patch immediately?
No robust workaround exists. Organizations should enforce strict access controls on administrative accounts, disable unnecessary administrative privileges, and implement privileged access management (PAM) to reduce the likelihood of admin credential compromise. However, these mitigations do not fix the underlying vulnerability—patching remains essential.
Why is this vulnerability not on the KEV list despite its high severity?
KEV inclusion indicates active, in-the-wild exploitation. This vulnerability was not flagged for KEV at publication, suggesting no documented active exploitation as of the advisory date. However, lack of KEV status should not delay patching; many serious vulnerabilities are exploited before reaching KEV visibility.
This analysis is based on publicly available information as of the advisory publication date (2026-06-09). Patch version numbers and specific remediation steps should be verified against the official Microsoft Security Update Guide and vendor advisories. SEC.co does not provide guaranteed exploit-free patch verification; organizations should conduct their own testing in isolated environments before production deployment. This vulnerability requires administrator-level privileges to exploit; risk assessment should account for your organization's specific privileged account security posture and attack surface. Information current as of the last modification date (2026-06-17); consult Microsoft for the most recent updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11248HIGHChrome Navigation Bypass in Google Lens
- CVE-2026-45588HIGHWindows Secure Boot Protection Mechanism Failure – HIGH Severity
- CVE-2026-45656HIGHWindows UEFI Protection Mechanism Bypass (CVSS 7.8)
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11206MEDIUMChrome Service Worker Data Leak Vulnerability – CVSS 6.5
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling