Old UEFI Shims Pose Security Risks: How to Prevent Secure Boot Bypass
A critical vulnerability in legacy Unified Extensible Firmware Interface (UEFI) shim bootloaders has been identified, allowing potential bypasses of Secure Boot protections on affected systems.
The Vulnerability in Legacy UEFI Shims
Researchers at ESET discovered that 11 outdated UEFI shims, signed by Microsoft, remained active despite known security risks. These shims, which act as intermediaries between UEFI firmware and operating systems, enable boot processes to function under Secure Boot constraints. However, older versions—primarily from 2013 and earlier—were found to pose significant risks due to unresolved vulnerabilities.
How UEFI Shims Work
UEFI shims are small software components designed to bridge the gap between motherboard firmware and operating systems, typically Linux distributions. By leveraging Microsoft-signed shims, Linux distributions can establish trust without requiring individual keys to be embedded in the motherboard’s non-volatile random-access memory (NVRAM). This mechanism allows bootloaders, kernels, and other components to execute during Secure Boot. However, some vendors failed to update their shims, leaving them signed and trusted within the Secure Boot chain.
Microsoft’s Response and CVEs
Microsoft addressed the issue by revoking the affected shims on June 2026 Patch Tuesday, following reports from ESET. Two specific vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2026-8863 and CVE-2026-10797. The compromised shims could be exploited to bypass Secure Boot protections on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 certificate authority. This includes systems running any operating system, regardless of the installed OS.
The Risks of Outdated Shims
The affected shims originated from various tools and packages, expanding the attack surface through their role as second-stage bootloaders. Attackers could introduce malicious shims to systems that have enrolled the Microsoft third-party UEFI certificate. ESET noted that the signing and compilation timestamps of trusted applications linked to the shims ranged from 2013 to 2025, indicating that many of these binaries were outdated and susceptible to known vulnerabilities. For example, the BootHole vulnerability in GRUB2 was cited as a potential risk.
The continued trust in these outdated shims enables attackers to execute untrusted code during the boot process, facilitating the deployment of bootkits even when Secure Boot is enabled.
CERT/CC and UEFI DBX
ESET disclosed the findings to the CERT/CC in February 2026, prompting Microsoft to add the vulnerable applications to the UEFI DBX (Forbidden Signature Database) in June. CERT/CC advised system administrators to update the UEFI signature database (DB) before applying DBX revocations. This process involves first updating trusted boot applications and certificates, followed by deploying the revocation list. Failure to follow this sequence could result in systems rejecting newly updated boot components.
Legacy Software Challenges
The issue highlights ongoing challenges with legacy software in secure boot ecosystems. Since 2017, UEFI shims have undergone a vetting process, but pre-2017 approvals lack documentation, leaving potential risks unaddressed. Security professionals warn that many older, still-trusted shims may remain in use, exposing systems to exploitation.
Conclusion
Organizations managing large-scale deployments, including enterprises, virtualization providers, and cloud operators, are urged to prioritize validation and implementation of the necessary updates. The incident underscores the importance of continuous monitoring and proactive mitigation of vulnerabilities in firmware and boot processes.
