CVE-2026-58638: Install July Updates to Fix Windows Boot Loader Bypass

Microsoft’s July 14, 2026 security updates fix CVE-2026-58638, a Windows Boot Loader security feature bypass that affects supported Windows client and server releases from Windows 10 version 1809 through Windows 11 version 26H1 and Windows Server 2025. The immediate action is straightforward: deploy the July cumulative updates, then ensure that offline deployment media and recovery workflows receive the corresponding boot-component updates as well.
Microsoft describes the flaw as a “missing cryptographic step” in Windows Boot Loader. According to the National Vulnerability Database record sourced from Microsoft, a locally authorized attacker could bypass a security feature through the boot process. The vulnerability is rated Important, with a CVSS 3.1 score of 6.0 and a vector requiring local access and high privileges before exploitation.
That qualification matters. CVE-2026-58638 is not a remotely reachable entry point, and Microsoft has not indicated that it is publicly disclosed or exploited in the wild. Its danger lies elsewhere: once an attacker already has powerful access on a machine, a weakness in the pre-OS trust chain can turn an ordinary compromise into one that is much harder to detect, remove, or trust after remediation.

Microsoft infographic showing Secure Boot protection, CVE-2026-58638 mitigation, and validated Windows platforms.A Boot Loader Fix Is Not Just Another Monthly Patch​

The Windows Boot Loader sits in the narrow but consequential gap between UEFI firmware and the Windows kernel. Security controls at that point help establish whether the operating system is starting with trusted components and expected cryptographic validation. A flaw there does not automatically mean Secure Boot is universally defeated, nor does Microsoft’s advisory make that claim. But it does mean a security control in the Windows boot path can be bypassed under the stated conditions.
The CVSS vector spells out Microsoft’s intended risk framing: local attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, high integrity impact, and no availability impact. In practical terms, an attacker needs to have crossed significant barriers first. They would not be able to exploit this by emailing a document, scanning the internet for exposed PCs, or simply plugging in a USB device at a locked sign-in screen.
That does not make the issue trivial for enterprises. Boot-chain attacks are attractive after privilege escalation because code that executes before or alongside Windows’ normal security stack can undermine endpoint telemetry, evade some operating-system-level controls, or preserve a foothold beyond a straightforward malware cleanup. The security value of the patch is therefore less about stopping initial compromise and more about limiting what a successful intruder can do next.
Microsoft’s advisory currently provides no public technical proof of concept, workaround, or mitigation separate from installing updates. BleepingComputer’s July Patch Tuesday coverage lists the issue as “Exploitation Less Likely,” not publicly disclosed, and not known to be exploited. That is useful prioritization information, but it should not become an excuse to defer the update indefinitely on systems that handle sensitive data or have privileged local administrators.

The July Builds Mark the Patched Baseline​

The clearest way to determine whether a system has received the fix is to check its installed cumulative update and OS build. Microsoft’s published affected-version data identifies the following patched thresholds:
ProductPatched July 14 baseline
Windows 10 version 1809 / Windows Server 2019OS Build 17763.9020
Windows 10 version 21H2OS Build 19044.7548
Windows 10 version 22H2OS Build 19045.7548
Windows 11 version 24H2OS Build 26100.8875
Windows 11 version 25H2OS Build 26200.8875
Windows 11 version 26H1OS Build 28000.2525
Windows Server 2012OS Build 9200.26226
Windows Server 2012 R2OS Build 9600.23291
Windows Server 2016OS Build 14393.9339
Windows Server 2022OS Build 20348.5386
Windows Server 2025OS Build 26100.33158
For mainstream desktop deployments, the key packages are KB5099539 for Windows 10 version 21H2 and 22H2, KB5101650 for Windows 11 version 24H2 and 25H2, and KB5101649 for Windows 11 version 26H1. Microsoft identifies KB5099538 as the update bringing Windows 10 Enterprise LTSC 2019 and Windows Server 2019 to build 17763.9020. Windows Server 2022 receives KB5099540, while Windows Server 2025 receives KB5099536.
Administrators should use their normal Windows Update for Business, Microsoft Configuration Manager, WSUS, or Microsoft Update Catalog workflow, but should validate the resulting build number rather than rely only on approval status. A device can appear compliant in an update console while a reboot, servicing-stack prerequisite, or deployment error prevents the intended boot components from being committed.
The inclusion of Windows Server 2012 and Windows Server 2012 R2 is notable. Those platforms require Extended Security Updates for continued security servicing. Organizations still running them should verify entitlement, patch status, and the operational dependency behind the legacy server rather than assume a standard monthly update ring covers the machines.

Deployment Images Need Their Own Review​

This month’s Windows release notes carry an operational warning that is especially relevant to a Boot Loader vulnerability. Microsoft says dynamic-update deployments to existing Windows images must include the boot.stl file from the updated image. The file is used during Secure Boot validation and must match the Windows version and architecture being deployed.
If that file is omitted, Microsoft warns that installation media may fail to boot and return error 0xc0430001. The practical consequence is that patching live endpoints is only half the job for organizations that build or repair machines using custom WinPE, task sequences, offline WIM files, recovery drives, or bare-metal provisioning media.
For those environments, the July update process should include three checks:
  • Update the reference image and its applicable SafeOS and setup components, not just the installed operating-system image.
  • Confirm that boot.stl is present under the appropriate Windows\Boot\EFI path and corresponds to the same release and architecture as the image.
  • Test a full bare-metal deployment and a recovery boot on representative UEFI hardware before broad rollout.
Microsoft’s July release notes point administrators toward its Update WinPE script as the preferred way to refresh existing media. Manual copying is possible, but it raises the usual version-control risks: a boot file from a different architecture, feature release, or servicing month can create failures that only surface during recovery.

Secure Boot Certificate Work Makes Validation More Important​

CVE-2026-58638 arrives while Microsoft is also continuing the rollout of newer Secure Boot certificates. The company says certificates used by many Windows devices began expiring in June 2026, and that it is delivering replacements through Windows Update for supported consumer and unmanaged business PCs.
The same July updates add more device-targeting data for certificate deployment. On Windows 10 version 22H2, Microsoft also says the Windows Security app can report Secure Boot status dynamically. These are related operational changes, but they should not be treated as a substitute for the Boot Loader patch: certificate modernization and remediation of a missing cryptographic validation step are separate pieces of boot-chain maintenance.
This combination makes staged validation sensible, particularly for devices with third-party UEFI configurations, Linux dual boot, custom PK/KEK/db management, or tightly controlled firmware settings. The right response is not to disable Secure Boot or pause routine patching; it is to test the current Windows updates on representative hardware and confirm the expected boot posture afterward.
CVE-2026-58638 does not carry the urgency of a wormable remote-code-execution bug. But it patches a weak point where Windows is supposed to establish trust before the operating system’s usual defenses are fully in control. For security teams, the July 14 builds should become the minimum baseline—and for image-management teams, the more important test may be whether the next machine can still boot from the media they built.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: pcgamer.com
 

Back
Top