Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2026-21265
CVE-2026-21265:
vulnerability analysis and mitigation
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees.
Certificate Authority (CA) Location Purpose Expiration Date
Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026
Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026
Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026
For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.
Source: NVD
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management