Primary

Context

Fedora Shim Secure Boot Certificate Expiration Vulnerability

Vulnerability

Patched

An issue has been identified in the shim component of Fedora 38, where the Secure Boot CA certificate was expired. This expiration can result in the loading of old or invalid signed boot components. The vulnerability arises from the use of a key past its expiration date, which can compromise the integrity of the boot process by allowing outdated or unauthorized components to be loaded.

Impact

The expired certificate can lead to a failure in the Secure Boot process, allowing potentially unauthorized or invalid boot components to be loaded, which could compromise the system's integrity.

Reproduction

The vulnerability can be reproduced by running 'mokutil --list-enrolled', which will display the expired Fedora Secure Boot CA certificate. The installed shim version must be 15.6-2, which is prior to the patched version 15.8-2.

Remediation

Users can upgrade to shim version 15.8-2, which is available in the Fedora 38 stable repository.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

4.2

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

4.2

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fedora Shim Secure Boot Certificate Expiration Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

shim

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating