CVE-2026-21265

Q: What is the severity of CVE-2026-21265?

CVE-2026-21265 has a CVSS score of 6.4 (MEDIUM). This CVE describes a Windows Secure Boot certificate expiration issue where Microsoft's UEFI certificates are expiring in 2026. Devices with affected certificates may lose Secure Boot functionality if firmware defects prevent proper certificate updates, potentially allowing boot-level attacks. All Windows systems using Secure Boot with the expiring certificates are affected.

6.4 MEDIUM

📋 TL;DR

This CVE describes a Windows Secure Boot certificate expiration issue where Microsoft's UEFI certificates are expiring in 2026. Devices with affected certificates may lose Secure Boot functionality if firmware defects prevent proper certificate updates, potentially allowing boot-level attacks. All Windows systems using Secure Boot with the expiring certificates are affected.

💻 Affected Systems

Products:

Windows Secure Boot
UEFI firmware with Microsoft certificates

Versions: All versions using Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, or Microsoft Windows Production PCA 2011 certificates

Operating Systems: Windows 10, Windows 11, Windows Server 2016+, Other Windows versions with Secure Boot

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Secure Boot enabled and using the specific expiring certificates. Systems without Secure Boot or with updated certificates are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Secure Boot bypass allowing attackers to load malicious bootloaders or kernel-level malware, leading to persistent system compromise and data theft.

🟠

Likely Case

Secure Boot failures causing boot problems, system instability, or inability to apply security updates, requiring manual intervention to restore functionality.

🟢

If Mitigated

Temporary boot issues during certificate updates that are resolved through proper firmware and OS updates with minimal disruption.

🌐 Internet-Facing: LOW - This is a local boot process vulnerability requiring physical or administrative access to the system.

🏢 Internal Only: MEDIUM - Requires local access but could be exploited by malicious insiders or through compromised administrative credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires physical access or administrative privileges to manipulate boot process. The vulnerability is more about certificate expiration causing failures than active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows updates with new certificate packages and firmware updates from hardware vendors

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21265

Restart Required: Yes

Instructions:

1. Apply latest Windows updates from Microsoft. 2. Check for and apply UEFI/firmware updates from hardware manufacturer. 3. Verify Secure Boot is functioning after updates. 4. Test boot process thoroughly before production deployment.

🔧 Temporary Workarounds

Disable Secure Boot (NOT RECOMMENDED)

windows

Temporarily disable Secure Boot in UEFI settings to avoid boot failures, but this significantly reduces security

🧯 If You Can't Patch

Maintain physical security controls to prevent unauthorized access to systems
Implement strict administrative access controls and monitor for unauthorized boot process changes

🔍 How to Verify

Check if Vulnerable:

Check UEFI firmware settings for Secure Boot status and certificate details, or use PowerShell: Confirm-SecureBootUEFI and check certificate expiration dates

Check Version:

PowerShell: Get-SecureBootPolicy, Get-SecureBootUEFI, or msinfo32.exe for system information

Verify Fix Applied:

Verify Secure Boot is enabled and functioning, check that new certificates are present in UEFI KEK/DB, and confirm system boots normally

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Secure Boot violations, boot failures, certificate validation errors
UEFI/BIOS logs: Secure Boot policy changes

Network Indicators:

Not applicable - this is a local boot process issue

SIEM Query:

EventID=1034 OR EventID=1001 from source 'Microsoft-Windows-Security-SPP' OR 'Secure Boot' in EventData

📊 Metadata

CVE ID: CVE-2026-21265

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1329

EPSS Score: 0.26% exploit probability (49.6th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21265 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Secure Boot (NOT RECOMMENDED)

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities