Microsoft has addressed a critical security feature bypass vulnerability in Windows Secure Boot certificates, tracked as CVE-2026-21265, through its January 2026 Patch Tuesday updates.
The flaw stems from expiring 2011-era certificates that underpin Secure Boot’s trust chain, potentially allowing attackers to disrupt boot integrity if unpatched.
Rated Important with a CVSS v3.1 base score of 6.4, the issue requires local access, high privileges, and high attack complexity, making exploitation less likely.msrc.microsoft+4
CVE-2026-21265 arises because Microsoft certificates stored in UEFI KEK and DB are nearing expiration dates in mid-2026, risking Secure Boot failure without updates.
Firmware defects in the OS’s certificate update mechanism can disrupt the trust chain, compromising Windows Boot Manager and third-party loaders. Publicly disclosed but not yet exploited in the wild, Microsoft urges immediate deployment of 2023 replacement certificates.
Three key 2011 certificates must be renewed to sustain Secure Boot:
| Certificate Authority | Location | Purpose | Expiration Date |
|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | KEK | Signs updates to DB and DBX | 06/24/2026 |
| Microsoft Corporation UEFI CA 2011 | DB | Signs 3rd party boot loaders, Option ROMs | 06/27/2026 |
| Microsoft Windows Production PCA 2011 | DB | Signs the Windows Boot Manager | 10/19/2026 |
Failure to update exposes devices to boot-time attacks, as noted in Microsoft’s November 2025 advisory.
Affected Systems and Patches
Patches target legacy Windows Server and extended-support editions, all marked as customer action required.
| Product | KB Article | Build Number | Update Type |
|---|---|---|---|
| Windows Server 2012 R2 (Core) | 5073696 | 6.3.9600.22968 | Monthly Rollup |
| Windows Server 2012 R2 | 5073696 | 6.3.9600.22968 | Monthly Rollup |
| Windows Server 2012 (Core) | 5073698 | 6.2.9200.25868 | Monthly Rollup |
| Windows Server 2012 | 5073698 | 6.2.9200.25868 | Monthly Rollup |
| Windows Server 2016 (Core) | 5073722 | 10.0.14393.8783 | Security Update |
| Windows Server 2016 | 5073722 | 10.0.14393.8783 | Security Update |
| Windows 10 Version 1607 x64 | 5073722 | 10.0.14393.8783 | Security Update |
| Windows 10 Version 1607 x86 | 5073722 | 10.0.14393.8783 | Security Update |
Organizations with IT-managed or Microsoft-managed updates should prioritize deployment. Verify firmware compatibility to avoid post-patch boot issues.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
