Microsoft Warns Secure Boot May Be Bypassed as Windows UEFI Certificates Expire

Microsoft has addressed a critical security feature bypass vulnerability in Windows Secure Boot certificates, tracked as CVE-2026-21265, through its January 2026 Patch Tuesday updates.

The flaw stems from expiring 2011-era certificates that underpin Secure Boot’s trust chain, potentially allowing attackers to disrupt boot integrity if unpatched.

Rated Important with a CVSS v3.1 base score of 6.4, the issue requires local access, high privileges, and high attack complexity, making exploitation less likely.msrc.microsoft+4​

CVE-2026-21265 arises because Microsoft certificates stored in UEFI KEK and DB are nearing expiration dates in mid-2026, risking Secure Boot failure without updates.

Firmware defects in the OS’s certificate update mechanism can disrupt the trust chain, compromising Windows Boot Manager and third-party loaders. Publicly disclosed but not yet exploited in the wild, Microsoft urges immediate deployment of 2023 replacement certificates.

Three key 2011 certificates must be renewed to sustain Secure Boot:

Failure to update exposes devices to boot-time attacks, as noted in Microsoft’s November 2025 advisory.

Affected Systems and Patches

Patches target legacy Windows Server and extended-support editions, all marked as customer action required.​

Organizations with IT-managed or Microsoft-managed updates should prioritize deployment. Verify firmware compatibility to avoid post-patch boot issues.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.