CVE Tools

CVE-2026-58638

Windows Boot Loader Security Feature Bypass Vulnerability

Published: Jul 14, 2026Updated: Jul 15, 2026 Sources: CVE List NVDCWE-325

Description

Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.

In plain language

AI Act now

CVE-2026-58638 is a Windows problem where a user with local access can bypass a security feature; if you only use Windows normally (no special local/admin exposure), it’s less likely, but RED means you should patch these Windows versions.

Executive summary

CVE-2026-58638 is a security-feature bypass in the Windows Boot Loader: a missing cryptographic check lets a local, authorized attacker bypass a security control (no user interaction required), affecting Windows 10/11 and multiple Windows Server releases.

If affected, business impact
Security controls bypassed locallyPotential credential or data theftDevice takeover without reboot effortIncident response and downtime risk

What to do now

  1. Check which of these you run: windows 10, windows 11, windows server 2012, windows server 2012 r2, windows server 2016, windows server 2019, windows server 2022, windows server 2025.
  2. Compare your current Windows build/version against the fixed versions listed in this advisory (below in your IT ticket) for your exact OS.
  3. Update each affected machine to the fixed version for your platform (do this even if you believe the machine is “safe,” because the issue is in the boot loader security feature).
  4. If you can’t patch immediately, limit “local access” to Windows accounts (reduce who can log on to consoles/terminals) and protect physical/interactive access until updates are applied.
Usually a quick update

CVSS Vector Breakdown

AV:LAC:LPR:HUI:NS:UC:HI:HA:N
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:HPrivileges Required
High
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:NAvailability
None

Weaknesses

Affected Products

and 9 more affected products View all →

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

References

3

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-58638 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows