Millions of PCs running Windows face a ticking clock as certificates that anchor the Secure Boot trust chain are set to expire in 2026, and the first deadline arrives in June. The issue, tracked in the National Vulnerability Database as CVE-2026-21265, identifies specific Key Exchange Key and database certificates whose expiration could break the chain of trust that prevents unauthorized code from running at startup. Without firmware-level updates before those dates, affected machines risk losing the ability to verify signed boot components, a failure that could force users to disable Secure Boot entirely or fall back to less secure boot modes.
Why expiring Secure Boot certificates demand action before June
Secure Boot works by checking digital signatures on every piece of software that loads before the operating system starts. Those signatures depend on certificates embedded in a PC’s firmware. When a certificate expires, the firmware can no longer validate the signatures it was designed to trust. The practical result for an end user is stark: a machine that worked fine yesterday could refuse to boot, throw validation errors, or silently drop into a legacy boot mode that offers no protection against boot-level malware.
The vulnerability record maintained in the NVD catalog lists certificates filling both KEK and DB roles in the Secure Boot trust chain. KEK certificates authorize changes to the signature database, while DB certificates directly validate signed boot loaders and drivers. Losing either type disrupts different parts of the verification process, but the outcome is the same: the system can no longer guarantee that only trusted code executes during startup.
The hypothesis that systems still relying on the soon-to-expire KEK certificates will experience measurably higher rates of Secure Boot disablement or fallback within 90 days of the first expiration date is grounded in how certificate-based trust works. Once a KEK certificate expires, the firmware has no authorized path to update its own signature database. That leaves administrators with two options: apply a firmware update that installs a replacement certificate before the deadline, or accept that Secure Boot will effectively stop functioning on that device. For organizations managing thousands of endpoints, the coordination required to push firmware updates across mixed hardware fleets is not trivial, and any lag creates a window where machines operate without boot-level integrity checks.
Certificate expiration dates and roles documented in CVE-2026-21265
The vulnerability entry points to concrete dates tied to specific certificate roles. According to the broader NIST materials associated with the case, one certificate expires on June 24, 2026, and another expires on October 19, 2026. These are not arbitrary deadlines. They reflect the original validity periods baked into the certificates when they were first issued and distributed in firmware.
The distinction between the two dates matters for planning. The June 24 expiration arrives first and sets the initial pressure point for IT departments and individual users alike. Any system that has not received a replacement certificate by that date will begin operating with a broken trust chain. The October 19 expiration extends the risk window, catching a second set of certificates and potentially a different group of devices or firmware versions. Organizations that treat the June date as a soft warning and delay action could find themselves scrambling again just four months later.
The certificates serve KEK and DB functions, according to the vulnerability record. A KEK certificate acts as a gatekeeper: it authorizes which signing certificates can be added to or removed from the signature database. A DB certificate sits lower in the chain and directly validates the boot loader, operating system kernel, and early-load drivers. Both types are essential. If the KEK expires, no new DB entries can be securely added. If a DB certificate expires, the specific boot components it validated will fail their integrity checks.
No public record in the available NIST materials specifies exactly how many PC models or firmware versions ship with the affected certificates. That gap makes it difficult to estimate the total number of machines at risk. What is clear from the vulnerability record is that the issue spans the certificate infrastructure itself, not a single vendor’s implementation, which suggests a broad footprint across manufacturers that rely on the same root certificates in their Secure Boot configurations.
Gaps in vendor guidance and what PC owners should track next
The NIST sources that document CVE-2026-21265 describe the technical problem but do not include step-by-step remediation instructions from Microsoft or from hardware manufacturers. No specific firmware update package, no list of affected device models, and no vendor-issued timeline for distributing replacement certificates appear in the available records. That absence is significant because certificate rotation in Secure Boot is not something an end user can do through a simple software patch. It requires a firmware update, typically delivered through a device manufacturer’s support channel or through Windows Update working in coordination with the OEM.
For individual PC owners, the first practical step is to check whether their system’s firmware is current. Most manufacturers publish BIOS or UEFI updates through their support websites, and Windows itself can deliver firmware updates through its regular update mechanism when the hardware vendor has enrolled in that process. Users running older machines that are no longer receiving firmware support from their manufacturer face the most acute risk, because no update path may exist for those devices.
Enterprise IT teams should audit their fleets now to identify which machines carry the expiring certificates. Tools that read Secure Boot certificate details from UEFI variables can help inventory KEK and DB entries across large environments. Once those inventories exist, administrators can map devices to vendor support lifecycles and determine which systems are likely to receive new firmware in time and which may need to be retired or isolated.
Because the NIST documentation does not yet point to official vendor advisories, organizations will have to closely monitor OEM support portals and Microsoft’s security guidance over the coming months. Procurement and risk teams should treat firmware support status as a first-class criterion when evaluating new hardware, ensuring that future devices will be able to accept certificate updates beyond the 2026 deadlines.
Planning for Secure Boot continuity
With two firm expiration dates already on the calendar, the key for both consumers and enterprises is to avoid treating this as an abstract cryptography problem. Expiring certificates translate directly into boot failures, security downgrades, or both. Systems that cannot be updated in time should be flagged as higher risk, with compensating controls such as tighter network segmentation, stricter application allowlists, or accelerated replacement schedules.
On the other side, devices that do receive updated firmware before June and October will need careful validation. After each update, administrators should confirm that Secure Boot remains enabled, that expected operating systems and boot loaders still launch, and that no unexpected keys or certificates have been added to the trust store. Documenting these checks will be important for audits and for demonstrating that the organization managed the CVE-2026-21265 exposure in a controlled way.
The looming certificate expirations underscore a broader lesson: Secure Boot is not a “set it and forget it” feature. Its guarantees depend on long-lived but ultimately time-limited cryptographic anchors. As those anchors age out, the only way to preserve the security benefits is through timely, coordinated firmware maintenance. Machines that miss that window will keep running, but increasingly on borrowed trust.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.