Particle.news

Microsoft Revokes 11 Old UEFI Shims That Could Bypass Secure Boot

The dbx revocations block the identified Microsoft-signed shims and help stop boot-time attacks on most Windows and updated Linux systems.

Overview

  • ESET researchers identified 11 Microsoft-signed shim bootloaders, mainly version 0.9 and earlier, that can be reused with a matching second-stage loader to execute untrusted code before the OS boots.
  • Microsoft added the revoked shim hashes to Windows' dbx revocation list in its June 9, 2026 Patch Tuesday update to prevent those specific files from being trusted by Secure Boot.
  • One flaw tracked as CVE-2026-10797 stems from an old upstream bug where signature-length fields were read inconsistently during revocation checks, letting certificate-based revocations be bypassed.
  • Windows devices should receive the dbx update automatically and Linux users can get fixes via LVFS/fwupd or run ESET’s and uefi-dbx-audit checks, but some OEM firmware, paused enterprise update rings, virtual machines, and legacy devices may still need vendor patches or manual steps.
  • Revoking these eleven shims reduces the immediate supply-chain exposure but uncertainty about older, still-trusted shims and the expired Microsoft UEFI CA 2011 certificate means residual risk remains and broader vendor record-keeping and updates are needed.