Microsoft Revokes 11 UEFI Shims to Block Secure Boot Bypass on Most Systems
Updated
Updated · We Live Security · Jul 14
Microsoft Revokes 11 UEFI Shims to Block Secure Boot Bypass on Most Systems
3 articles · Updated · We Live Security · Jul 14
Summary
June 9 Patch Tuesday added 11 Microsoft-signed UEFI shim bootloaders to the dbx revocation list after ESET found they could bypass Secure Boot on machines trusting Microsoft’s third-party UEFI CA 2011.
Versions 0.9 and older let attackers bring their own vulnerable shim and run untrusted code at boot, enabling UEFI bootkits such as BlackLotus, Bootkitty or HybridPetya even if the affected OS is not installed.
ESET said the risk extends beyond two newly assigned CVEs—CVE-2026-8863 and CVE-2026-10797—because the shims also trust outdated second-stage loaders, mostly GRUB 2, that may carry known flaws.
Most UEFI-based systems with Microsoft third-party signing enabled are exposed, while Windows 11 Secured-core PCs should have that option off by default; defenders are urged to install the latest dbx updates on Windows or via LVFS on Linux.
The disclosure highlights a broader Secure Boot problem: old Microsoft-signed boot components can remain trusted long after software ages, and certificate expiry alone does not revoke them.
When Microsoft's signature enables an attack, is the entire concept of Secure Boot fundamentally flawed?
Is your PC permanently vulnerable to bootkits due to an expired Microsoft security certificate?
Over a Billion PCs at Risk: The 2026 UEFI Secure Boot Shim Revocation Crisis and Its Lasting Impact
Overview
In June 2026, Microsoft widely revoked UEFI shim bootloaders, disrupting Secure Boot for many Linux distributions and other operating systems. This action caused not only immediate boot failures but also introduced persistent security risks and complex supply chain challenges. While Windows systems generally receive automatic updates to block vulnerable shims, Linux users depend on updates from the Linux Vendor Firmware Service, making the situation more complicated. Red Hat responded by distributing updated shims for its supported releases, but the lack of centralized control means that inconsistent updates can lead to unbootable systems and ongoing security threats across diverse environments.