Overview
- ESET researchers reported in February 2026 that they found 11 Microsoft‑signed UEFI shim bootloaders (version 0.9 and earlier) that let attackers run untrusted code during early boot and deploy persistent UEFI bootkits.
- Microsoft added the eleven shim hashes to the forbidden signatures database (dbx) in the June 9, 2026 Patch Tuesday release, which Windows devices that received the update no longer trust.
- Linux and unmanaged systems must pull revocations via the Linux Vendor Firmware Service (LVFS/fwupd) or apply manual fixes and audits because Windows updates do not protect those machines automatically.
- A key risk remains because many shims and other third‑party UEFI components signed before 2017 are not fully catalogued, certificate expiration does not remove already‑trusted files, and older shim builds ignore modern revocation mechanisms like MOK denylist and SBAT.
- Administrators should update trusted boot applications and certificates before deploying dbx entries, run ESET and CERT/CC audit scripts to find remaining vulnerable shims, and prioritize firmware and vendor updates to prevent boot‑time persistence that can evade OS defenses.