Old Microsoft-Signed Linux UEFI Shims Pose Major Security Risk

Cybersecurity researchers uncover 11 old Microsoft-signed UEFI shims that can bypass Secure Boot, exposing vulnerabilities.

axonn bots
axonn bots
·4 min read
Researchers have identified 11 outdated, Microsoft-signed UEFI shims that can be exploited to bypass Secure Boot protections on most modern systems. These vulnerabilities allow attackers to execute malicious code during system boot, even on fully patched systems.

In a startling discovery, cybersecurity researchers have uncovered a major vulnerability involving 11 old, Microsoft-signed Unified Extensible Firmware Interface (UEFI) applications. These outdated shim bootloaders, which are designed to facilitate the booting of Linux systems with Secure Boot enabled, can be exploited to bypass critical security mechanisms. This revelation highlights a significant gap in the trust model of modern firmware standards.

The Problem with Old UEFI Shims

The UEFI shim bootloader is a lightweight, open-source component that acts as a bridge between a computer's motherboard firmware and the Linux operating system. Its primary function is to ensure that Linux distributions can boot securely when Secure Boot is active. However, the researchers found that certain older versions of these shims, signed by Microsoft's 'Microsoft Corporation UEFI CA 2011' certificate, are still trusted by most UEFI-based systems, despite the certificate's expiration in June 2026.

According to ESET researcher Martin Smolár, an attacker exploiting these vulnerabilities can execute untrusted code during the system boot process, enabling the deployment of malicious UEFI bootkits or other malware. This effectively undermines the very purpose of Secure Boot, which is designed to prevent unauthorized code from running during the boot sequence.

How the Attack Works

The attack vector involves replacing a victim's up-to-date shim with an older, still-trusted, but vulnerable version. Because the older shims are signed with Microsoft's expired certificate, they remain trusted by the system's firmware. This allows the attacker to bypass the Machine Owner Key (MOK) denylist, a security feature introduced in shim version 0.9 to revoke old signing certificates associated with vulnerable UEFI binaries.

Once the attacker has replaced the shim, they can load vulnerable binaries without restriction, gaining arbitrary code execution capabilities. This attack can even bypass Secure Boot Advanced Targeting (SBAT), a mechanism designed to revoke vulnerable boot components and update the minimum acceptable generation of boot chain components.

The Scope of the Vulnerability

The vulnerability affects a wide range of systems, including those running Linux distributions like RedHat, CentOS, OracleLinux, and OpenSuse, among others. The list of impacted shim bootloaders includes versions as old as 0.7 and as recent as 0.9. Microsoft has since revoked these vulnerable shims as part of its June 2026 Patch Tuesday update, following responsible disclosure earlier this year.

The CERT Coordination Center (CERT/CC) noted that the vendor-specific bootloaders had not been updated to address vulnerabilities in the upstream project, even after they were publicly disclosed and fixed. This oversight created a long-term supply chain exposure, allowing outdated and vulnerable boot components to remain executable on fully patched systems.

The Implications for Cybersecurity

The discovery underscores a critical flaw in the UEFI Secure Boot ecosystem. Because the attack occurs before the operating system and security products are initialized, malicious code executed through these bootloaders can evade detection by built-in security controls and endpoint detection and response (EDR) solutions. This makes the vulnerability particularly dangerous, as it can provide attackers with entrenched persistence that survives system reboots and, in some cases, even operating system reinstallations.

The issues are tracked under the CVE identifiers CVE-2026-8863 and CVE-2026-10797. ESET emphasized that the expiration of the 'Microsoft Corporation UEFI CA 2011' certificate does not affect the Secure Boot verification process unless the bootloaders signed with the expired certificate are explicitly revoked by hash.

What's Next?

The discovery of these vulnerabilities serves as a wake-up call for the cybersecurity community. As ESET noted, 'What makes these old shims dangerous is not a novel vulnerability, it’s that no new vulnerability is needed to bypass UEFI Secure Boot.' Attackers do not need sophisticated exploitation techniques; they simply need access to an old, still-trusted shim binary and a basic understanding of how UEFI shims work.

Users and organizations are advised to ensure their systems are running the latest, patched versions of UEFI shims and to monitor for any signs of unauthorized modifications to the boot process. This incident highlights the importance of proactive security measures and the need for continuous vigilance in the ever-evolving landscape of cyber threats.