Microsoft has revoked eleven legacy UEFI shim bootloaders that were previously signed, exposing vulnerabilities that allow attackers to bypass Secure Boot protections. These shims serve as crucial software bridges between a computer's UEFI firmware and its operating system, often used in Linux distributions to facilitate secure booting without embedding individual keys into the motherboard's NVRAM. While many vulnerabilities in the open-source shim project have been addressed over time, some vendors did not update their bootloaders, leaving these old shims signed and trusted, thus vulnerable to exploitation.

ESET identified that these outdated shims, primarily from version 0.9 and earlier, remained in circulation until Microsoft issued a revocation on June 2026 Patch Tuesday. This move followed the assignment of two CVEs, CVE-2026-8863 and CVE-2026-10797. The shims, which originated from various tools and packages, could be used by attackers to bypass Secure Boot on any UEFI-based system that trusts Microsoft's third-party UEFI certificate authority, regardless of the operating system installed.

The issue is compounded by the fact that these shims allow untrusted code execution during the boot process, enabling the deployment of bootkits even if Secure Boot is enabled. ESET reported these findings to CERT/CC in February 2026, leading to the revocation of the vulnerable applications and their addition to the UEFI DBX, or Forbidden Signature Database. CERT/CC advises system administrators to update the signature database before implementing the DBX revocations to avoid potential issues with updated boot components.

Despite a vetting process established in 2017 for signing and documenting shims, older shims from before this time remain undocumented and could still pose a security risk. Organizations managing large-scale deployments, such as enterprises and cloud operators, are urged to prioritize these updates to prevent unauthorized code execution during system startup.