By rssfeeds-admin 
The flaw stems from expiring 2011-era certificates that underpin Secure Boot’s trust chain, potentially allowing attackers to disrupt boot integrity if unpatched.
Rated Important with a CVSS v3.1 base score of 6.4, the issue requires local access, high privileges, and high attack complexity, making exploitation less likely.msrc.microsoft+4
CVE-2026-21265 arises because Microsoft certificates stored in UEFI KEK and DB are nearing expiration dates in mid-2026, risking Secure Boot failure without updates.
Firmware defects in the OS’s certificate update mechanism can disrupt the trust chain, compromising Windows Boot Manager and third-party loaders. Publicly disclosed but not yet exploited in the wild, Microsoft urges immediate deployment of 2023 replacement certificates.
Three key 2011 certificates must be renewed to sustain Secure Boot:
| Certificate Authority | Location | Purpose | Expiration Date |
|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | KEK | Signs updates to DB and DBX | 06/24/2026 |
| Microsoft Corporation UEFI CA 2011 | DB | Signs 3rd party boot loaders, Option ROMs | 06/27/2026 |
| Microsoft Windows Production PCA 2011 | DB | Signs the Windows Boot Manager | 10/19/2026 |
Failure to update exposes devices to boot-time attacks, as noted in Microsoft’s November 2025 advisory.
Affected Systems and Patches
Patches target legacy Windows Server and extended-support editions, all marked as customer action required.
| Product | KB Article | Build Number | Update Type |
|---|---|---|---|
| Windows Server 2012 R2 (Core) | 5073696 | 6.3.9600.22968 | Monthly Rollup |
| Windows Server 2012 R2 | 5073696 | 6.3.9600.22968 | Monthly Rollup |
| Windows Server 2012 (Core) | 5073698 | 6.2.9200.25868 | Monthly Rollup |
| Windows Server 2012 | 5073698 | 6.2.9200.25868 | Monthly Rollup |
| Windows Server 2016 (Core) | 5073722 | 10.0.14393.8783 | Security Update |
| Windows Server 2016 | 5073722 | 10.0.14393.8783 | Security Update |
| Windows 10 Version 1607 x64 | 5073722 | 10.0.14393.8783 | Security Update |
| Windows 10 Version 1607 x86 | 5073722 | 10.0.14393.8783 | Security Update |
Organizations with IT-managed or Microsoft-managed updates should prioritize deployment. Verify firmware compatibility to avoid post-patch boot issues.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Warns Secure Boot May Be Bypassed as Windows UEFI Certificates Expire appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.