In the January 2026 Patch Tuesday, Microsoft disclosed CVE-2026-21265, a security feature bypass vulnerability in Windows Secure Boot with a CVSS score of 6.4 and a severity rated as Important. This is not a classic code bug, but a cryptographic lifecycle problem: the Microsoft certificates stored in the UEFI firmware are reaching their expiration date.
What it actually is
Secure Boot is the UEFI mechanism that ensures only software signed by a trusted authority runs during the boot process. That trust is anchored in Microsoft certificates stored in two firmware databases: the KEK (Key Enrollment Key) and the DB (Signature Database). The 2011-era certificates that underpin this scheme are expiring in 2026:
- Microsoft Corporation KEK CA 2011: June 24, 2026
- Microsoft Corporation UEFI CA 2011: June 27, 2026
- Microsoft Windows Production PCA 2011: October 19, 2026
When these certificates expire without being renewed, the system stops receiving critical Secure Boot updates, such as new revocation lists (DBX) and boot manager mitigations. A machine left in that state is at greater risk of having its secure boot chain bypassed, for example by loading a malicious bootloader that would normally be rejected.
Who it affects
It affects Windows 10, Windows 11 and Windows Server systems that use Secure Boot with Microsoft’s 2011 certificates, which is essentially the entire modern device fleet. The issue is especially relevant on virtual machines and managed devices that rely on the UEFI chain of trust. While the affected system is Windows, it is worth remembering that many Linux distributions boot through a shim signed under the Microsoft UEFI CA 2011, so this certificate transition is also relevant in dual-boot environments.
Severity and exploitation status
Microsoft classified the vulnerability as Publicly Disclosed, because the certificate expiration dates are public information, but assessed it as Exploitation Less Likely and there is no active exploitation on record. The real severity is medium: on its own it does not allow code execution, but it degrades a fundamental protection against rootkits and bootkits.
Mitigation and patch
The January 2026 update lays the groundwork to solve the problem by deploying the new 2023 certificates that replace the 2011 ones:
- Microsoft Corporation KEK 2K CA 2023 is added to the KEK.
- Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 are added to the DB.
Practical recommendations:
- Apply the 2026 cumulative updates as soon as possible; the certificates and the servicing task that installs them are distributed through the cumulatives (typically May or June 2026).
- Verify that the certificate update process completes successfully, especially on virtual machines, where failures have been reported.
- For fleet administrators, follow Microsoft’s official playbook for the 2026 Secure Boot certificate transition before the expiration dates.
If you manage secure boot alongside system security controls, you may be interested in our guide on SELinux and AppArmor to harden your security posture beyond the firmware. See also our Windows Desktop page.