Jan 2026: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
CVE-2026-21265 Published on January 13, 2026
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot.
The operating systems certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees.
Certificate Authority (CA)
Location
Purpose
Expiration Date
Microsoft Corporation KEK CA 2011
KEK
Signs updates to the DB and DBX
06/24/2026
Microsoft Corporation UEFI CA 2011
DB
Signs 3rd party boot loaders, Option ROMs, etc.
06/27/2026
Microsoft Windows Production PCA 2011
DB
Signs the Windows Boot Manager
10/19/2026
For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.
Weakness Type
Reliance on Component That is Not Updateable
The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.
Products Associated with CVE-2026-21265
Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.
Affected Versions
Microsoft Windows 10 Version 1607:- Version 10.0.14393.0 and below 10.0.14393.8783 is affected.
- Version 10.0.17763.0 and below 10.0.17763.8276 is affected.
- Version 10.0.19044.0 and below 10.0.19044.6809 is affected.
- Version 10.0.19045.0 and below 10.0.19045.6809 is affected.
- Version 10.0.22631.0 and below 10.0.22631.6491 is affected.
- Version 10.0.22631.0 and below 10.0.22631.6491 is affected.
- Version 10.0.26100.0 and below 10.0.26100.7623 is affected.
- Version 10.0.26200.0 and below 10.0.26200.7623 is affected.
- Version 6.2.9200.0 and below 6.2.9200.25868 is affected.
- Version 6.2.9200.0 and below 6.2.9200.25868 is affected.
- Version 6.3.9600.0 and below 6.3.9600.22968 is affected.
- Version 6.3.9600.0 and below 6.3.9600.22968 is affected.
- Version 10.0.14393.0 and below 10.0.14393.8783 is affected.
- Version 10.0.14393.0 and below 10.0.14393.8783 is affected.
- Version 10.0.17763.0 and below 10.0.17763.8276 is affected.
- Version 10.0.17763.0 and below 10.0.17763.8276 is affected.
- Version 10.0.20348.0 and below 10.0.20348.4648 is affected.
- Version 10.0.25398.0 and below 10.0.25398.2092 is affected.
- Version 10.0.26100.0 and below 10.0.26100.32230 is affected.
- Version 10.0.26100.0 and below 10.0.26100.32230 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.