CVE-2026-45588 Overview
CVE-2026-45588 is a Secure Boot bypass vulnerability affecting Microsoft Windows client and server operating systems. The flaw stems from a protection mechanism failure [CWE-693] in the Windows Secure Boot implementation. An authorized attacker with high privileges and local access can defeat the Secure Boot integrity controls that validate firmware and boot components.
Microsoft published the advisory on June 9, 2026, and assigned the issue a CVSS 3.1 score reflecting high confidentiality and integrity impact with a changed scope. The affected footprint spans Windows 10, Windows 11, and Windows Server editions from 2012 through 2025.
Critical Impact
A successful bypass undermines the chain of trust at boot, enabling persistence below the operating system and tampering with boot-time integrity checks across enterprise Windows fleets.
Affected Products
- Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 architectures
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) across x64 and ARM64 architectures
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-45588 published to the National Vulnerability Database
- 2026-06-09 - Microsoft publishes vendor advisory through the Microsoft Security Response Center
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-45588
Vulnerability Analysis
The vulnerability is classified as a Secure Boot bypass driven by a Protection Mechanism Failure [CWE-693]. Secure Boot is a UEFI feature that verifies the cryptographic signatures of firmware drivers, bootloaders, and the Windows boot manager before they execute. When the mechanism fails, untrusted code can load during the boot sequence without triggering the integrity controls that normally block it.
Exploitation requires local access and high privileges on the target system. The attack does not require user interaction. The scope is marked as changed, indicating that a successful bypass impacts components beyond the vulnerable component itself — typically the boot environment and downstream OS integrity guarantees.
With confidentiality and integrity both affected at the high level, an attacker who bypasses Secure Boot can read protected boot-time secrets and modify boot components. The vulnerability does not directly produce a denial of service, but it enables a foothold suitable for bootkits and pre-OS implants.
Root Cause
Microsoft's advisory attributes the flaw to a protection mechanism failure within the Windows Secure Boot implementation. The mechanism does not correctly enforce the trust decision it was designed to make, allowing an authorized local actor to circumvent the verification step. Microsoft has not published low-level technical details in the public NVD record.
Attack Vector
The attack vector is local with low complexity but requires high privileges, such as administrative rights on the target machine. An attacker with these privileges can stage modified boot components or manipulate Secure Boot policy structures and then trigger a reboot. On the next start, the tampered components execute despite Secure Boot being enabled.
This vector aligns with post-compromise escalation scenarios. A threat actor who has already obtained administrative access uses the bypass to establish persistence that survives reinstalls of the operating system and evades many endpoint defenses that rely on a trusted boot chain.
Public exploit code is not available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication.
Detection Methods for CVE-2026-45588
Indicators of Compromise
- Unexpected modifications to UEFI variables, Secure Boot policy objects, or the db, dbx, KEK, and PK key stores
- Unsigned or unexpected entries in the boot configuration data (BCD) store and changes to bootmgfw.efi or winload.efi outside of Windows Update events
- Event ID 1035 and related Measured Boot / TPM event log discrepancies between the recorded PCR values and the expected baseline
- New EFI binaries appearing in the EFI System Partition (ESP) that are not part of a Microsoft-signed update
Detection Strategies
- Compare TPM PCR measurements against a known-good baseline using Windows Defender System Guard attestation or equivalent remote attestation
- Monitor administrative actions that touch bcdedit.exe, mountvol, or write operations against the ESP outside maintenance windows
- Alert on PowerShell or WMI calls that query or modify Secure Boot state, such as Confirm-SecureBootUEFI returning unexpected results
Monitoring Recommendations
- Forward boot integrity telemetry, TPM event logs, and Microsoft-Windows-CodeIntegrity events to a centralized logging platform for correlation
- Track patch deployment status across all affected Windows 10, Windows 11, and Windows Server builds to identify systems still missing the fix
- Review privileged session activity on servers and workstations for sequences that combine admin elevation with reboots shortly after EFI partition writes
How to Mitigate CVE-2026-45588
Immediate Actions Required
- Apply the Microsoft security updates referenced in the Microsoft CVE-2026-45588 advisory to all affected Windows 10, Windows 11, and Windows Server systems
- Audit local administrator accounts and reduce standing privileges, since exploitation requires high privileges on the host
- Validate Secure Boot status with Confirm-SecureBootUEFI and confirm TPM-backed Measured Boot is enabled on managed endpoints
- Re-baseline trusted PCR values and attestation policies after patching to detect any residual tampering
Patch Information
Microsoft has released security updates addressing CVE-2026-45588 across all supported Windows client and server versions. Refer to the Microsoft Security Response Center entry for CVE-2026-45588 for the exact KB articles and build numbers that correspond to each affected SKU. Apply updates through Windows Update, WSUS, Microsoft Intune, or Configuration Manager according to the deployment ring strategy in use.
Workarounds
- Enforce least privilege on all endpoints and servers to limit which accounts can perform local administrative actions required for exploitation
- Enable BitLocker with TPM and PIN protectors so that boot tampering invalidates the recovery key check and forces investigation
- Use device health attestation and conditional access to block non-compliant machines from sensitive resources until they report a trusted boot state
# Verify Secure Boot state and Measured Boot health on Windows
Confirm-SecureBootUEFI
Get-Tpm
Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -MaxEvents 100
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
