Description
Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Published: 2026-05-12
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from Windows Secure Boot relying on a component that cannot be updated; an attacker with authorized local access can subvert this security feature. The resulting effect is that the integrity checks performed during system boot can be bypassed, enabling the execution of unsigned or malicious code during startup. This flaw does not directly expose remote code execution, but allows local privilege escalation through the compromised boot process, potentially compromising the confidentiality, integrity, and availability of the system.

Affected Systems

Microsoft Windows 10 versions 1809, 21H2 and 22H2; Microsoft Windows 11 versions 22H3, 23H2, 24H2, 25H2 and 26H1; Microsoft Windows Server 2019, 2022, 2025 and the 23H2 edition. All 32‑bit and 64‑bit builds, including Server Core installations, are affected as listed by the CNA.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. The EPSS score is not available, so the exploitation frequency cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack model is local; an authorized user who can run privileged processes on the machine would need to exploit the flaw. No additional exploitation prerequisites are described in the available data.

Generated by OpenCVE AI on May 12, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE‑2026‑41097 on all affected Windows operating systems.
  • Ensure Secure Boot is enabled and the boot configuration is protected from unauthorized changes.
  • Limit local administrative access and enforce least‑privilege principles to reduce the risk of the authorized attacker scenario.

Generated by OpenCVE AI on May 12, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Title Secure Boot Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-1329
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2019 Windows Server 2022 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:25.022Z

Reserved: 2026-04-16T19:12:36.195Z

Link: CVE-2026-41097

cve-icon Vulnrichment

Updated: 2026-05-12T19:17:53.229Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:21.343

Modified: 2026-05-12T18:17:21.343

Link: CVE-2026-41097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:00:13Z

Weaknesses