Overview
- ESET researchers located 11 Microsoft‑signed shim bootloaders, mostly version 0.9 or earlier, that let an attacker load an untrusted second‑stage bootloader and run code before the operating system.
- The flaws are tracked as CVE‑2026‑8863 and CVE‑2026‑10797 and enable persistent pre‑OS compromise, including installation of UEFI bootkits that survive OS reinstallation.
- Microsoft added the 11 revoked hashes to the Windows dbx on June 9, 2026 and Windows devices generally receive that update automatically, while Linux users can get dbx updates through LVFS/fwupd and audit with published scripts.
- The Microsoft Corporation UEFI CA 2011 certificate expired on June 27, 2026 but expiration does not remove trust for already‑signed binaries, and many old shims lack newer protections such as MOK denylist enforcement and SBAT support so they can ignore revocations.
- Incomplete historical records and lagging vendor firmware or bootloader updates mean some signed, vulnerable shims may still exist in the supply chain, so system owners should run the published checks, apply firmware updates from OEMs and vendors, and use LVFS/fwupd or Windows update to ensure dbx revocations are installed.