Back

Security Advisory — Secure Boot Bypass via AMI Aptio UEFI BDS Module

CVE-2026-33197
Jul 14, 2026

GIGABYTE Technology Co., Ltd. acknowledges a security vulnerability (CVE-2026-33197) involving the AMI Aptio UEFI BDS (Boot Device Selection) module. We are committed to providing secure and reliable products and have taken immediate action to mitigate this risk.

 

Vulnerability Details

Case Identifier: CVE-2026-33197
CVSS score: 8.7 HIGH
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Vulnerability Type: Secure Boot Bypass / Logic Error
Root Cause: A logic flaw exists in the BDS module's process for removing embedded UEFI Shell boot options. When Secure Boot is enabled, the system is designed to clear these options to prevent unauthorized access to privileged system commands. However, due to a logic error, the removal process may not clear all redundant entries, potentially allowing a privileged user to access the UEFI Shell environment.

 

Attack Scenario

The exploitation of this vulnerability requires the attacker to have already obtained administrative (root) privileges on the host operating system. By manipulating UEFI boot variables, an attacker could potentially bypass the intended cleanup mechanism to launch the embedded UEFI Shell during the boot process. Once in this environment, privileged memory-access commands could be used to modify Secure Boot policy handlers in memory, thereby bypassing the Secure Boot verification.

 

Potential Impact

Successful exploitation could lead to a compromise of the platform's Root of Trust. This may allow the execution of unverified code or the loading of malicious bootloaders (Bootkits) before the operating system initializes. Because this occurs at the firmware level, such activities may evade standard operating system security controls and Endpoint Detection and Response (EDR) solutions.

 

Affected Products and Software

Affected Component: AMI Aptio UEFI BIOS: BDS Module
Affected Products: Certain GIGABYTE Motherboards utilizing the affected AMI Aptio UEFI version.

Resolution and Recommended Actions

GIGABYTE has implemented the following measures to neutralize this risk:

Firmware Update: GIGABYTE has released updated BIOS versions that correct the BDS module's removal logic, ensuring all unauthorized UEFI Shell boot options are fully purged during the boot sequence.

Platform

BIOS Release Schedule

Intel® Z890, W880, Q870, B860, H810 platforms

Released

Intel® Z790, B760 platforms

Released

Intel® Z690, Q670, B660, H610 platforms

Released

Intel® Z590, H510 platforms

Released

AMD® X870E, X870, B850, B840 platforms

Released

AMD® X670, B650, A620, A620A platforms

Released

AMD® X570, B550, A520 platforms

Released

AMD® X470, B450 platforms

Released

AMD® X370, B350, A320 platforms

Released

 

 

Recommended Action:
To mitigate the risk of unauthorized pre-boot execution, users are strongly advised to:

  1. Download and install the latest BIOS release from the official GIGABYTE support website for their specific motherboard model.
  2. Set a BIOS Administrator Password to prevent unauthorized modifications to firmware settings and boot configurations.

 

Acknowledgement
We extend our gratitude to the security researchers and our supply chain partners for identifying and reporting this vulnerability.

 

The release schedule and package contents may be adjusted without further notification. Please check the official support page for the latest updates.

Please navigate to the "Support" section of the relevant product page to download the updated BIOS.

For any further assistance regarding this issue please contact your sales representative, or create a new support ticket at https://esupport.gigabyte.com