Microsoft has identified a critical vulnerability in Windows Secure Boot certificates, labeled as CVE-2026-21265, which poses serious risks to the integrity of device booting. This situation arises from the expiration of certificates issued in 2011, which are essential for the secure operation of the Secure Boot trust chain.
Update the devices
With a base CVSS v3.1 score of 6.4, the vulnerability requires local access, high privileges, and a high attack complexity, which partially reduces the likelihood of immediate exploitation. However, its existence raises an important alert, especially because the affected certificates are scheduled to expire in mid-2026. If the corresponding patches are not applied, devices could be vulnerable to attacks during the boot process.
In order to mitigate these risks, Microsoft released patches in its January 2026 Patch Tuesday update, aimed at replacing the at-risk certificates. Organizations should prioritize the implementation of these updates and check firmware compatibility to avoid boot issues after installing the patches. In its November 2025 notice, Microsoft emphasized the need to renew three key certificates to maintain boot security.
The company calls on organizations that manage IT updates, as well as those that use Microsoft-managed solutions, to take immediate action. The lack of updates can result in a vulnerability that compromises the security of devices at their most critical moment: during boot-up. In light of this situation, it is crucial for system administrators to act swiftly to protect their technological infrastructures.