CVE-2026-0390 Overview
CVE-2026-0390 is a security feature bypass vulnerability in the Windows Boot Loader. The flaw stems from reliance on untrusted inputs in a security decision [CWE-807]. An authorized attacker with high privileges and local access can bypass a security feature enforced during the boot process. Microsoft has published an advisory tracking the issue across supported Windows 10 and Windows Server releases.
Critical Impact
A successful bypass undermines integrity controls protecting the Windows boot chain, enabling tampering with boot-time security policies on affected systems.
Affected Products
- Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2 (x86, x64, ARM64)
- Microsoft Windows Server 2016 and Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- 2026-04-14 - CVE-2026-0390 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-0390
Vulnerability Analysis
The Windows Boot Loader makes a security decision based on inputs that an attacker can influence. Because the loader trusts data that has not been validated as authentic, an attacker can manipulate those inputs to alter boot-time behavior. The result is a bypass of a security feature that the boot chain is meant to enforce. Exploitation requires local access and pre-existing high privileges, which limits remote opportunism but aligns with post-compromise persistence and tamper scenarios. The flaw maps to CWE-807, Reliance on Untrusted Inputs in a Security Decision.
Root Cause
The boot loader consumes attacker-controllable data and uses it as the basis for a trust decision without sufficient validation. When the input is forged or altered, the loader proceeds along a path that should otherwise be blocked. This pattern is characteristic of CWE-807 weaknesses, where the integrity and authenticity of the decision input are not verified prior to use.
Attack Vector
An attacker must already hold elevated privileges on the target host. From that position, the attacker stages crafted inputs that the boot loader consults during initialization. On the next boot, the loader honors the manipulated input and bypasses the affected security feature. No user interaction is required, and the attack is constrained to local execution. Microsoft has not reported active exploitation, and no public proof-of-concept is referenced in the advisory.
No verified exploit code is available. Refer to the Microsoft Security Advisory CVE-2026-0390 for vendor technical details.
Detection Methods for CVE-2026-0390
Indicators of Compromise
- Unexpected modifications to Boot Configuration Data (BCD) entries or boot loader files under the EFI System Partition.
- Boot integrity measurements or TPM PCR values that drift from a known-good baseline across reboots.
- Administrator-level processes writing to boot-related paths outside of vendor update activity.
Detection Strategies
- Monitor for use of bcdedit.exe and direct writes to \EFI\Microsoft\Boot\ outside of patch or imaging workflows.
- Correlate privileged process creation with subsequent reboots and changes in measured boot logs.
- Compare TPM-backed boot attestation data against the platform baseline to identify drift in the loader configuration.
Monitoring Recommendations
- Enable Measured Boot and forward attestation logs to a centralized analytics platform for review.
- Track Windows event logs related to boot configuration changes and Secure Boot policy updates.
- Alert on privileged account activity that immediately precedes reboots on servers and high-value endpoints.
How to Mitigate CVE-2026-0390
Immediate Actions Required
- Apply the security update referenced in the Microsoft advisory to all affected Windows 10 and Windows Server systems.
- Restrict membership in local administrator and equivalent groups to limit who can stage the local prerequisites for exploitation.
- Verify Secure Boot is enabled and that TPM-based attestation is in use where supported.
Patch Information
Microsoft provides the official fix and product-specific guidance in the Microsoft Security Advisory CVE-2026-0390. Administrators should consult the advisory for the specific KB articles applicable to each Windows 10 and Windows Server build listed in the affected products section.
Workarounds
- No vendor workaround is published. Patching is the supported remediation path.
- Reduce local privilege exposure by enforcing least privilege and credential isolation on systems pending patch deployment.
- Use BitLocker with TPM and PIN to raise the cost of boot-time tampering on portable and unattended systems.
# Verify Secure Boot status on a Windows host
Confirm-SecureBootUEFI
# Inspect current boot configuration for review against a known-good baseline
bcdedit /enum {bootmgr}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
