惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
P
Privacy International News Feed
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
C
CXSECURITY Database RSS Feed - CXSecurity.com
Know Your Adversary
Know Your Adversary
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Attack and Defense Labs
Attack and Defense Labs
NISL@THU
NISL@THU
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
GbyAI
GbyAI
N
News and Events Feed by Topic
N
News | PayPal Newsroom
Y
Y Combinator Blog
C
CERT Recently Published Vulnerability Notes
N
Netflix TechBlog - Medium
S
Security Affairs
Spread Privacy
Spread Privacy
罗磊的独立博客
腾讯CDC
MyScale Blog
MyScale Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
L
LINUX DO - 热门话题
The Cloudflare Blog
L
LangChain Blog
博客园_首页
H
Hacker News: Front Page
宝玉的分享
宝玉的分享
Martin Fowler
Martin Fowler
博客园 - 聂微东
SecWiki News
SecWiki News
A
Arctic Wolf
爱范儿
爱范儿
Google Online Security Blog
Google Online Security Blog
T
Threat Research - Cisco Blogs
Hacker News - Newest:
Hacker News - Newest: "LLM"
有赞技术团队
有赞技术团队
The GitHub Blog
The GitHub Blog
Cyberwarzone
Cyberwarzone
博客园 - 叶小钗
V
Visual Studio Blog
V
V2EX
T
Tailwind CSS Blog
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
F
Fortinet All Blogs
MongoDB | Blog
MongoDB | Blog
D
Docker

CERT Recently Published Vulnerability Notes

CERT/CC Vulnerability Note VU#326070 CERT/CC Vulnerability Note VU#529388 CERT/CC Vulnerability Note VU#725167 VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs CERT/CC Vulnerability Note VU#152953 CERT/CC Vulnerability Note VU#734812 CERT/CC Vulnerability Note VU#849433 CERT/CC Vulnerability Note VU#213560 CERT/CC Vulnerability Note VU#828543 CERT/CC Vulnerability Note VU#639124 CERT/CC Vulnerability Note VU#936962 CERT/CC Vulnerability Note VU#226679 CERT/CC Vulnerability Note VU#457458 CERT/CC Vulnerability Note VU#380058 CERT/CC Vulnerability Note VU#862559 CERT/CC Vulnerability Note VU#595768 CERT/CC Vulnerability Note VU#615987 CERT/CC Vulnerability Note VU#265691 CERT/CC Vulnerability Note VU#873170 CERT/CC Vulnerability Note VU#158530 CERT/CC Vulnerability Note VU#780781 CERT/CC Vulnerability Note VU#980487 CERT/CC Vulnerability Note VU#777338 CERT/CC Vulnerability Note VU#471747 CERT/CC Vulnerability Note VU#937808 CERT/CC Vulnerability Note VU#260001 CERT/CC Vulnerability Note VU#748485 CERT/CC Vulnerability Note VU#518910 CERT/CC Vulnerability Note VU#890999 CERT/CC Vulnerability Note VU#414811 CERT/CC Vulnerability Note VU#915947 CERT/CC Vulnerability Note VU#536588 CERT/CC Vulnerability Note VU#951662 CERT/CC Vulnerability Note VU#655822 CERT/CC Vulnerability Note VU#221883 CERT/CC Vulnerability Note VU#330121 CERT/CC Vulnerability Note VU#577436 CERT/CC Vulnerability Note VU#624941 CERT/CC Vulnerability Note VU#907705 CERT/CC Vulnerability Note VU#665416 CERT/CC Vulnerability Note VU#976247 CERT/CC Vulnerability Note VU#772695 CERT/CC Vulnerability Note VU#431821 CERT/CC Vulnerability Note VU#504749 CERT/CC Vulnerability Note VU#458422 CERT/CC Vulnerability Note VU#481830
CERT/CC Vulnerability Note VU#616257
2026-06-10 · via CERT Recently Published Vulnerability Notes

Overview

Microsoft-signed UEFI bootloaders of the open-source shim project, primarily from version 0.9 and earlier, were identified as vulnerable to Secure Boot bypass. To mitigate this risk, the affected bootloaders will be added to the Microsoft UEFI Forbidden Signature Database (DBX). Once the DBX update is applied, these bootloaders will no longer be trusted for execution during the boot process.

An attacker could exploit these vulnerable shim bootloaders using a Bring Your Own Vulnerable Driver (BYOVD)-style technique to execute arbitrary code during the early boot phase, prior to operating system initialization, thereby bypassing Secure Boot protections.

Description

The Unified Extensible Firmware Interface (UEFI) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains the "Microsoft Corporation UEFI CA 2011" certificate. This Microsoft certificate is widely used to sign third-party boot components intended to run under Secure Boot.

The open-source UEFI shim project is a small, signed bootloader that Microsoft signed using the "Microsoft Corporation UEFI CA 2011" certificate. Shim acts as a bridge between the motherboard's UEFI firmware and the operating system (typically a Linux distribution). Its purpose is to allow Linux distributions to boot with Secure Boot enabled without requiring every individual distribution's key to be built into the motherboard's NVRAM settings. In doing so, shim allows Linux distributions and other third parties to establish their own trust model through the use of Machine Owner Keys (MOKs), enabling additional bootloaders, kernels, and related components to execute within the Secure Boot chain. The shim project also introduced Secure Boot Advanced Targeting (SBAT), which provides a version-based revocation mechanism for boot components and simplifies future security updates and revocations.

Over time, multiple security vulnerabilities were identified and corrected in the upstream shim project. However, a number of vendors had previously forked or customized older versions of shim for their own products and boot environments. In many cases, these vendor-specific bootloaders were not updated after vulnerabilities in the upstream project became publicly known. As a result, vulnerable bootloaders remained signed and trusted by Secure Boot systems because they had not been revoked through the Microsoft-signed DBX revocation list. This created a long-term supply chain exposure in which outdated and vulnerable boot components could still be executed on fully patched systems.

Researchers from ESET identified multiple vulnerable shim bootloaders affected by these issues. The affected bootloaders will be added to Microsoft's official DBX revocation list as part of this coordinated disclosure.

Impacted shim bootloaders
[Vendor and Product Information
Authenticode SHA hash
SHA256 file hash
CVE ID]
Spyrus WTGCreator () from UEFI shim loader(0.7 (or lower))
AE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961
1D18DF4B15D3BC3DFFA1777A557075210DD0C53B
CVE-2026-8863
RedHat RedHat Enterprise Linux (7.2) from UEFI shim loader(0.9)
7B2A3F5C96F95BD8086CE54B0825E300F9C8F11FE3401BB631B3215C8DE9EB10
3F24DD838C5C9E35B104FA2F3B74AC6A5BF92FD2
CVE-2026-10797
RedHat CentOS (7.2) from UEFI shim loader(0.9)
EB86FA1386FE6E4533B8B938DCC1250616D2F1C14C15E2FCF80834A161018A0A
E133BE08E8AD17AC00E3C8ED215499C5F3C54E64
CVE-2026-10797
baramundi software baramundi Management Suite (up to 2024R1) from UEFI shim loader(0.8)
FD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5
8637D7EFA23A8A5738F2E4AACB6C9919B405AA2C
CVE-2026-8863
WhiteCanyon/Blancco WipeDrive (versions 8.0.0 through 8.1.3.) from UEFI shim loader(0.7)
a0de9333442c1bf9349a460141ae5e80f911955c6506040fa3d021bf6c1ae3e4
8A402AFCD3C23D9253BBEA08576113C63E448AD0
CVE-2026-8863
Finland's Matriculation Examination Board Abitti 1 (1.0) from UEFI shim loader(0.8)
95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06
8A83FA30DBF0073F33EAD298A7D5CD69A47C3A4B
CVE-2026-8863
NTC IT ROSA, LLC ROSA Linux (R10, R9) from UEFI shim loader(0.9)
236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B
8F9E8DB8E2C2157C2A591F2BE070FF96BFE318C7
CVE-2026-8863
Oracle America, Inc. OracleLinux (7.2) from UEFI shim loader(0.9)
5E594C448760A3135B1A3A83E07A4F2E6FBE49414EF2C7CAB1CBA77F284FA63B
A16136899A12AD214FA4FBA60072BA72FBAB8BCA
CVE-2026-8863
PC-Doctor, Inc. PC Doctor Service Center (15, 16) from UEFI shim loader(0.9)
8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963
BC01320D8FF8343B348EF8F3C947A66EB8FD9CE2
CVE-2026-8863
OpenSuse OpenSuse UEFI Shim loader (0.9)
410260B1B6F5AF5FBEEB9EA3220658435E876CB3247126EE907A437F312DB373
3CF8BEB1E2885F51CA04002425C4F3C796D105BC
CVE-2026-8863
OpenSuse OpenSuse Shim (2.1) from UEFI Shim loader (0.9) 
96275DFD6282A522B011177EE049296952AC794832091F937FBBF92869028629
6DB5266E80C9D51CDD54421E736DF2E6E6879A56
CVE not provided

Impact

An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Code executed during this early boot phase may achieve persistent compromise of the platform, including the ability to load unsigned or malicious kernel components that can survive system reboots and, in some cases, operating system reinstallation. Because this activity occurs before the operating system and many security products initialize, malicious code executed through this technique may evade detection by operating system security controls and Endpoint Detection and Response (EDR) solutions.

Solution

Apply a Patch

Apply the latest software updates along with latest bootloader updates as provided by your hardware or software vendor. See the Vendor Information section for details. Updated software should replace any vulnerable shim bootloaders with versions that incorporate the latest upstream security fixes and SBAT protections. Additionally, Microsoft DBX updates should be applied to all UEFI-based systems to ensure that vulnerable bootloaders can no longer be executed during the Secure Boot process.

Recommendations for Enterprises and Developers

Because modifications to the DBX (Forbidden Signature Database) can affect system boot behavior, vendors and administrators should thoroughly test these updates before broad deployment to ensure systems remain bootable. When deploying Secure Boot updates, it is recommended the latest authorized signature database (DB) is updated before applying DBX revocations. In practice, this means updating trusted boot applications and certificates first, followed by deployment of the revocation list. Failure to follow this order may cause systems to reject newly updated boot components. Enterprises, virtualization providers, and cloud operators managing large-scale deployments should prioritize validation and deployment of these updates to prevent the execution of vulnerable or unsigned binaries during physical or virtual machine startup. Microsoft also provides DBX update files and related tooling through the following repository: SecureBoot Objects

Audit tools such as Check-UEFISecureBootVariables for Windows systems using PowerShell, and uefi-dbx-audit for Linux systems, can be used to help verify that current DBX updates have been applied to UEFI-based laptops, desktops, servers, and virtual machines with Secure Boot enabled. These tools can also assist enterprise administrators in identifying revoked or vulnerable boot components present on a system. Audit and verification capabilities may vary depending on platform firmware implementation and support for revocation mechanisms such as SBAT and the newer Microsoft-specific Secure Version Numbering (SVN) enforcement.

Acknowledgements

Thanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.

Vendor Information

Filter by content: Additional information available

 Sort by:

CVE IDs: CVE-2026-10797 CVE-2026-8863
API URL: VINCE JSON | CSAF
Date Public: 2026-06-09
Date First Published: 2026-06-09
Date Last Updated: 2026-06-10 17:26 UTC
Document Revision: 6