Description
Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Published: 2026-04-14
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local UEFI Secure Boot bypass
Action: Patch immediately
AI Analysis

Impact

A flaw in the Windows Boot Loader causes a security decision to rely on untrusted input, enabling an attacker with local authorization to bypass UEFI Secure Boot. The result is that unsigned firmware or boot components can be loaded, potentially compromising the integrity of the system’s startup process. The vulnerability does not provide additional remote access or data exposure beyond this local boot requirement.

Affected Systems

Microsoft Windows 10 versions 1607, 1809, 21H2 and 22H2, as well as Windows Server 2016, 2019 and 2022—including Server Core installations—are affected by this flaw. These operating systems rely on UEFI firmware with Secure Boot enabled.

Risk and Exploitability

The CVSS base score of 6.7 indicates medium severity. Because the vulnerability requires the attacker to have local privilege to modify boot loader components or firmware, the attack vector is inferred to be local and practicable only when such access is available. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, implying it is not currently exploited. Nevertheless, the ability to bypass a fundamental boot security mechanism warrants prompt remediation.

Generated by OpenCVE AI on April 14, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update that addresses CVE‑2026‑0390. If a patch is not yet available, restrict physical access to unattended devices, enforce a BIOS/UEFI password, and disable booting from external media to reduce the risk of local bootloader tampering.

Generated by OpenCVE AI on April 14, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Title UEFI Secure Boot Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Weaknesses CWE-807
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:54:28.525Z

Reserved: 2025-11-19T11:49:07.943Z

Link: CVE-2026-0390

cve-icon Vulnrichment

Updated: 2026-04-14T19:11:58.031Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:16:42.237

Modified: 2026-04-14T18:16:42.237

Link: CVE-2026-0390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses