CVE-2026-21265Reliance on Component That is Not Updateable in Microsoft Windows 10 Version 1607

CWE-1329Reliance on Component That is Not Updateable9 documents6 sources
Severity
6.4MEDIUMNVD
EPSS
0.5%
top 33.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
22
Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809Microsoft Windows 10 Version 21h2+19 more
Timeline
PublishedJan 13

Description

Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust up

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages22 packages

NVDmicrosoft/windows< 10.0.14393.8783+5
NVDmicrosoft/windows_10_1607< 10.0.14393.8783
NVDmicrosoft/windows_10_1809< 10.0.17763.8276
NVDmicrosoft/windows_10_21h2< 10.0.19044.6809
NVDmicrosoft/windows_10_22h2< 10.0.19045.6809

🔴Vulnerability Details

3
CVEList
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability2026-01-13
GHSA
GHSA-xqxc-72vf-v8f5: Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB2026-01-13
OSV
CVE-2026-21265: Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB2026-01-13

📋Vendor Advisories

1
Microsoft
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability2026-01-13

🕵️Threat Intelligence

1
Wiz
CVE-2026-21265 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21265 — Microsoft vulnerability | cvebase