CVE-2026-21265: CWE-1329 - Reliance on Component That is Not Updateable in Microsoft Windows 10 Version 1607
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.
AI Analysis
Technical Summary
Windows Secure Boot relies on Microsoft certificates stored in the UEFI KEK and DB to validate boot components. The original certificates from 2011 are nearing expiration in 2026, necessitating updates to avoid loss of security fixes related to the Windows boot manager and Secure Boot. The update process depends on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably, potentially disrupting the Secure Boot trust chain. This vulnerability is identified as CWE-1329, indicating reliance on a component that is not updateable. A patch is available to update these certificates and restore intended security guarantees.
Potential Impact
If the certificates are not updated properly, Secure Boot functionality may be compromised, leading to potential loss of security guarantees during system boot. This could allow unauthorized boot loaders or components to be trusted, impacting confidentiality, integrity, and availability of the system. The CVSS score of 6.4 reflects a medium severity with high impact on confidentiality, integrity, and availability, but requiring local access with high privileges and no user interaction.
Mitigation Recommendations
A patch is available to update the expiring Microsoft certificates used by Windows Secure Boot. It is recommended to apply the official update from Microsoft to ensure Secure Boot functionality is maintained and security fixes are preserved. Careful validation and deployment of the update are necessary due to potential firmware component defects affecting the update process. Administrators should monitor vendor advisories for detailed guidance on applying these updates.
CVE-2026-21265: CWE-1329 - Reliance on Component That is Not Updateable in Microsoft Windows 10 Version 1607
Description
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Windows Secure Boot relies on Microsoft certificates stored in the UEFI KEK and DB to validate boot components. The original certificates from 2011 are nearing expiration in 2026, necessitating updates to avoid loss of security fixes related to the Windows boot manager and Secure Boot. The update process depends on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably, potentially disrupting the Secure Boot trust chain. This vulnerability is identified as CWE-1329, indicating reliance on a component that is not updateable. A patch is available to update these certificates and restore intended security guarantees.
Potential Impact
If the certificates are not updated properly, Secure Boot functionality may be compromised, leading to potential loss of security guarantees during system boot. This could allow unauthorized boot loaders or components to be trusted, impacting confidentiality, integrity, and availability of the system. The CVSS score of 6.4 reflects a medium severity with high impact on confidentiality, integrity, and availability, but requiring local access with high privileges and no user interaction.
Mitigation Recommendations
A patch is available to update the expiring Microsoft certificates used by Windows Secure Boot. It is recommended to apply the official update from Microsoft to ensure Secure Boot functionality is maintained and security fixes are preserved. Careful validation and deployment of the update are necessary due to potential firmware component defects affecting the update process. Administrators should monitor vendor advisories for detailed guidance on applying these updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-12-11T21:02:05.738Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69668ae7a60475309f9ae299
Added to database: 1/13/2026, 6:11:51 PM
Last enriched: 4/3/2026, 12:54:21 PM
Last updated: 5/8/2026, 12:23:14 PM
Views: 754
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.