Fix bootmgr SVN dateOfLastChange and CVE description (#444)#445
Conversation
The SVN bump from 8.0 to 9.0 (a728996) updated the value and version of the bootmgfw.efi SVN entry but left dateOfLastChange at the 8.0 date (2026-04-10) and the description at the old CVE (CVE-2023-24932). Update both fields to match the June 9, 2026 KB5094126 rollout: - dateOfLastChange: 2026-04-10 -> 2026-05-21 - description: CVE-2023-24932 -> CVE-2026-45654
|
@jcoester, @pbatard mind letting me know if this fixes the issues you noticed (at least in this repo) if there is anything else? @olkorsha, @SochiOgbuanya Can you review this comment left by @jcoester and seeing if these are known issues internally and seeing that they're assigned correctly? Further issues below. 1) Still faulty SVN GUIDsThe SVNs GUIDs are still scrambled, as there seems to be a regression from f3a3287 (April 30, 2026) referencing #377, #404 June 9, 2026—KB5094126 (OS Builds 26200.8655 and 26100.8655) still contains GUIDs considered faulty. "guid": "{9d132b61-59d5-4388-**1cab**-185c3cb2eb92} == EFI_BOOTMGR_DBXSVN_GUID",
"guid": "{e8f82e9d-e127-4158-**88a4**-4c18abe2f284} == EFI_CDBOOT_DBXSVN_GUID",
"guid": "{c999cac2-7ffe-496f-**2781**-9e2a8a535976} == EFI_WDSMGR_DBXSVN_GUID",JSON from this PR. - Seems like the corrections got lost with the Windows Update rollout above. "guid": "{9d132b61-59d5-4388-**ab1c**-185c3cb2eb92} == EFI_BOOTMGR_DBXSVN_GUID",
"guid": "{e8f82e9d-e127-4158-**a488**-4c18abe2f284} == EFI_CDBOOT_DBXSVN_GUID",
"guid": "{c999cac2-7ffe-496f-**8127**-9e2a8a535976} == EFI_WDSMGR_DBXSVN_GUID",2) Outdated Bootmgr CVE descriptionThis PR forgets to update the Bootmgr CVE description, already rolled out in the June 9 release June 9, 2026—KB5094126 (OS Builds 26200.8655 and 26100.8655) - Already updated "version": "9.0",
"description": "Windows Bootmgr SVN CVE-2026-45654",
"dateOfLastChange": "2026-05-21"JSON from this PR. - This PR version is behind the version already rolled out on June 9. "version": "9.0",
"description": "Windows Bootmgr SVN CVE-2023-24932",
"dateOfLastChange": "2026-04-10"3) Missing 'isOptional' tagsLastly, the local Conclusion
|
|
The proposed changes from 2) look okay to me, as far as the discrepancies I saw are concerned. As usual, even if I do understand that there can be some delays when it comes to reviewing a PR/proposed update, I'm going to make the remark that when an SVN update is produced by Microsoft on 2026-05-21, it shouldn't take more than one month (2026-06.30) for that change to be formally published in this repository... Can Microsoft please look at reducing the delays in publishing SVN changes? Thank you. |
I agree with you, and this is feedback I will provide internally |
Description
The SVN bump from 8.0 to 9.0 (a728996) updated the value and version of the bootmgfw.efi SVN entry but left dateOfLastChange at the 8.0 date (2026-04-10) and the description at the old CVE (CVE-2023-24932).
Update both fields to match the June 9, 2026 KB5094126 rollout:
dateOfLastChange: 2026-04-10 -> 2026-05-21
description: CVE-2023-24932 -> CVE-2026-45654
Impacts functionality?
Impacts security?
Breaking change?
Includes tests?
Includes documentation?
How This Was Tested
verified that the json was valid
Integration Instructions
N/A