Overview
- ESET researchers identified 11 Microsoft-signed shim bootloaders, mainly version 0.9 and earlier, that can be reused with a matching second-stage loader to execute untrusted code before the OS boots.
- Microsoft added the revoked shim hashes to Windows' dbx revocation list in its June 9, 2026 Patch Tuesday update to prevent those specific files from being trusted by Secure Boot.
- One flaw tracked as CVE-2026-10797 stems from an old upstream bug where signature-length fields were read inconsistently during revocation checks, letting certificate-based revocations be bypassed.
- Windows devices should receive the dbx update automatically and Linux users can get fixes via LVFS/fwupd or run ESET’s and uefi-dbx-audit checks, but some OEM firmware, paused enterprise update rings, virtual machines, and legacy devices may still need vendor patches or manual steps.
- Revoking these eleven shims reduces the immediate supply-chain exposure but uncertainty about older, still-trusted shims and the expired Microsoft UEFI CA 2011 certificate means residual risk remains and broader vendor record-keeping and updates are needed.