CISA issues guidance on DBX revocations for shim Secure Boot bypass

Microsoft-signed UEFI bootloaders from the open-source shim project, mainly version 0.9 and earlier, were found vulnerable to a Secure Boot bypass, which could allow arbitrary code execution during early boot before the operating system loads.

The issue is tracked under CVE-2026-8863, and shim is described as a small, signed bootloader Microsoft signed using the “Microsoft Corporation UEFI CA 2011” certificate. The UEFI trust model relies on firmware-managed signature databases, including the authorized signature database (DB), and the remediation described is to add affected bootloaders to the Microsoft UEFI Forbidden Signature Database (DBX) revocation list so they are no longer trusted during the Secure Boot process. An attacker could use a Bring Your Own Vulnerable Driver (BYOVD)-style technique to execute arbitrary code during the early boot phase, prior to operating system initialization. The vulnerable bootloaders listed include Spyrus WTGCreator () from UEFI shim loader(0.7 (or lower)) with Authenticode SHA AE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961 and SHA256 1D18DF4B15D3BC3DFFA1777A557075210DD0C53B (CVE-2026-8863), RedHat Enterprise Linux (7.2) from UEFI shim loader(0.9) (CVE pending from vendor) with Authenticode SHA 7B2A3F5C96F95BD8086CE54B0825E300F9C8F11FE3401BB631B3215C8DE9EB10 and SHA256 3F24DD838C5C9E35B104FA2F3B74AC6A5BF92FD2, and RedHat CentOS (7.2) from UEFI shim loader(0.9) (CVE pending from vendor) with Authenticode SHA EB86FA1386FE6E4533B8B938DCC1250616D2F1C14C15E2FCF80834A161018A0A and SHA256 E133BE08E8AD17AC00E3C8ED215499C5F3C54E64. Additional listed items include baramundi Management Suite (up to 2024R1) from UEFI shim loader(0.8) with Authenticode SHA FD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5 and SHA256 8637D7EFA23A8A5738F2E4AACB6C9919B405AA2C (CVE-2026-8863); WhiteCanyon/Blancco WipeDrive versions 8.0.0 through 8.1.3. from UEFI shim loader(0.7) with Authenticode SHA a0de9333442c1bf9349a460141ae5e80f911955c6506040fa3d021bf6c1ae3e4 and SHA256 8A402AFCD3C23D9253BBEA08576113C63E448AD0 (CVE-2026-8863); Finland's Matriculation Examination Board Abitti 1 (1.0) from UEFI shim loader(0.8) with Authenticode SHA 95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06 and SHA256 8A83FA30DBF0073F33EAD298A7D5CD69A47C3A4B (CVE-2026-8863); NTC IT ROSA, LLC ROSA Linux (R10, R9) from UEFI shim loader(0.9) with Authenticode SHA 236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B and SHA256 8F9E8DB8E2C2157C2A591F2BE070FF96BFE318C7 (CVE-2026-8863); OracleLinux (7.2) from UEFI shim loader(0.9) with Authenticode SHA 5E594C448760A3135B1A3A83E07A4F2E6FBE49414EF2C7CAB1CBA77F284FA63B and SHA256 A16136899A12AD214FA4FBA60072BA72FBAB8BCA (CVE-2026-8863); and PC Doctor Service Center (15, 16) from UEFI shim loader(0.9) with Authenticode SHA 8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963 and SHA256 BC01320D8FF8343B348EF8F3C947A66EB8FD9CE2 (CVE-2026-8863). The list also includes OpenSuse Shim (10.1) from UEFI Shim loader (0.9) with Authenticode SHA 410260B1B6F5AF5FBEEB9EA3220658435E876CB3247126EE907A437F312DB373 and SHA256 3CF8BEB1E2885F51CA04002425C4F3C796D105BC (CVE not provided) and OpenSuse Shim (2.1) from UEFI Shim loader (0.9) with Authenticode SHA 96275DFD6282A522B011177EE049296952AC794832091F937FBBF92869028629 and SHA256 6DB5266E80C9D51CDD54421E736DF2E6E6879A56 (CVE not provided). The narrative also references that the shim project introduced Secure Boot Advanced Targeting (SBAT), which provides a version-based revocation mechanism for boot components.

An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. The document states that code executed during this early boot phase may achieve persistent compromise of the platform, including the ability to load unsigned or malicious kernel components that can survive system reboots and, in some cases, operating system reinstallation. It also states that this activity occurs before the operating system and many security products initialize, so malicious code executed through this technique may evade detection by operating system security controls and Endpoint Detection and Response (EDR) solutions.

The stated fix is to apply the latest software updates along with latest bootloader updates as provided by the hardware or software vendor. The guidance further says updated software should replace vulnerable shim bootloaders with versions that incorporate the latest upstream security fixes and SBAT protections. In addition, Microsoft DBX updates should be applied to all UEFI-based systems to ensure vulnerable bootloaders can no longer be executed during the Secure Boot process.

For deployment guidance, the document says modifications to the DBX can affect system boot behavior, so vendors and administrators should thoroughly test DBX updates before broad deployment. When deploying Secure Boot updates, it recommends updating the latest authorized signature database (DB) before applying DBX revocations, describing this as updating trusted boot applications and certificates first, followed by deployment of the revocation list; it notes failure to follow this order may cause systems to reject newly updated boot components. It also states that enterprises, virtualization providers, and cloud operators managing large-scale deployments should prioritize validation and deployment of these updates to prevent the execution of vulnerable or unsigned binaries during physical or virtual machine startup. The document points to the Microsoft-provided DBX update files and tooling at https://github.com/microsoft/secureboot_objects, and it lists audit tools including Check-UEFISecureBootVariables for Windows systems using PowerShell and uefi-dbx-audit for Linux systems, stating these tools can help verify current DBX updates have been applied and can assist in identifying revoked or vulnerable boot components on a system.