Ventoy 1.1.15 landed on June 25, 2026, a mere day after its predecessor, delivering a targeted fix for a boot regression that left bootable USB drives unusable on systems with Secure Boot disabled. The rapid release underscores the urgency of a bug that collided head-on with Microsoft’s long-planned UEFI CA 2023 certificate transition, a change that threatens to break Secure Boot compatibility for countless bootloaders and tools.
For years, Ventoy has been the go-to open-source tool for creating multi-boot USB drives. Instead of repeatedly reformatting a flash drive to write a new ISO, users simply copy image files onto a Ventoy-prepared disk and boot directly from them. Supporting both Legacy BIOS and UEFI, along with Secure Boot, Ventoy cleverly uses a signed shim loader to placate Microsoft’s firmware validation. That shim, essentially a first-stage bootloader blessed by Microsoft, allows chainloading of virtually any operating system kernel, signed or unsigned, as long as Secure Boot policies are satisfied or gracefully bypassed.
But the cryptographic bedrock under that shim began to shift. In 2022, Microsoft announced the deprecation of the “Microsoft UEFI CA 2011”—the certificate authority that signed third-party shims for over a decade—and its replacement with the “Microsoft UEFI CA 2023.” The transition, originally targeted for 2023, faced delays but finally started rolling out in force through firmware updates and Windows Secure Boot policies by early 2026. Any bootloader relying on the old CA would be rejected by a fully updated UEFI, effectively bricking bootable media created with older versions of Ventoy.
Ventoy’s developer responded with version 1.1.14, released on June 24, 2026. That update swapped in a new shim signed against the UEFI CA 2023, restoring Secure Boot compatibility on systems enforcing the new certificate. Initial reports were positive—until users noticed a bizarre side effect: with the 1.1.14 shim, Ventoy would only boot when Secure Boot was enabled. On machines where Secure Boot was turned off—common in dual-boot setups, legacy hardware, or enthusiast overclocking configurations—the USB drive failed to initialize, throwing a cryptic “boot failed” message or hanging entirely.
The bug was a classic edge case. The updated shim likely assumed a Secure Boot environment and lacked a fallback code path for systems that bypass the UEFI authorization protocol entirely. In a non–Secure Boot mode, the shim might have attempted to call absent EFI services or incorrectly validated certificates that don’t exist, leading to a silent crash. For Ventoy’s user base—often IT professionals who juggle Secure Boot on and off depending on the task—this was a showstopper.
Enter Ventoy 1.1.15, the hotfix that landed within 24 hours. The changelog was succinct but telling: “Fix the boot issue when Secure Boot is disabled.” Internally, the fix reworked the shim’s initialization logic to gracefully handle the absence of Secure Boot, allowing the boot process to proceed without attempting to enroll or verify any keys. Essentially, it restored the pre-1.1.14 behavior where Secure Boot is simply skipped when not active, while preserving the new CA signing for systems that do enforce it.
This rapid cycle—from report to hotfix in under a day—highlights both the responsiveness of the Ventoy project and the fragility of the UEFI Secure Boot ecosystem. The transition from one root certificate to another, though necessary to retire aging cryptographic primitives, creates a ripple effect that can brick rescue USBs at the worst possible moment. Ventoy’s shim-based approach had always been a delicate dance, and the UEFI CA 2023 switch forced a retuning of every step.
To understand the fix’s importance, consider the typical Ventoy use case. A technician arrives at a server with a Ventoy USB loaded with five Linux distributions, a Windows PE recovery image, and a memtest86+ ISO. The server’s firmware may have Secure Boot disabled for compatibility with custom kernels, or enabled due to corporate policy. With 1.1.14, the technician would find the USB dead on that server if Secure Boot was off, defeating the whole purpose of a universal tool. Version 1.1.15 brings back that universality.
Updating to Ventoy 1.1.15 is straightforward but demands a moment of caution. Existing Ventoy users can run Ventoy2Disk.exe -u from the command line on Windows, or use the graphical Ventoy2Disk utility’s “Update” button, to non-destructively replace the bootloader and shim files while preserving all ISO files and partition structure. Those on Linux can use the -u flag with the bash script. However, as with any low-level disk operation, backing up important data on the USB stick is strongly advised. Once updated, the drive should seamlessly boot on both Secure Boot–enabled and –disabled machines, provided the installed operating systems themselves support the hardware.
A brief comparison of the recent Ventoy releases clarifies the progression:
| Version | Release Date | Key Changes |
|---|---|---|
| Ventoy 1.1.13 | Early June 2026 | Maintenance fixes; old UEFI CA 2011 shim still in place. |
| Ventoy 1.1.14 | June 24, 2026 | Updated shim for UEFI CA 2023; restored Secure Boot on updated firmware. Broke boot when Secure Boot was disabled. |
| Ventoy 1.1.15 | June 25, 2026 | Fixed the Secure Boot–disabled boot regression; shim now works correctly regardless of Secure Boot state. |
Beyond the immediate fix, Ventoy 1.1.15 serves as a canary in the coal mine for the broader open-source boot ecosystem. Many Linux distributions, rescue disks, and other multiboot tools like YUMI or Rufus’ “Windows To Go” options rely on similar shim loaders. If they haven’t already updated their signing chains, their users will face identical failures as the UEFI CA 2023 rollout accelerates. Major firmware vendors like AMI, Phoenix, and Insyde already ship with the new CA as the default “deny” policy for old certificates, and Microsoft’s own Windows UEFI secure boot policy updates (KB5025885 and successors) enforce the transition at the OS level. The clock has been ticking for years, and in mid-2026, it’s striking midnight.
The Ventoy project’s nimble response offers a template: monitor upstream certificate changes, engage with the community to spot edge cases early, and deploy patches without bureaucratic delay. For end users, the message is equally clear: update your bootable media tools now, even if they seem to work today. A firmware update pushed overnight could render that trusted rescue stick inert.
Ventoy 1.1.15 is available immediately from the official website at ventoy.net and the project’s GitHub repository. Direct downloads for Windows and Linux are provided, along with checksums to verify integrity. While the update is fresh, early testing by the enthusiast community has confirmed that it resolves the disabled-safe-boot boot failure and maintains full compatibility with Secure Boot systems on the latest UEFI CA 2023 firmware. No new bugs have surfaced so far, suggesting that the hotfix is clean.
Looking ahead, the UEFI CA 2023 saga underscores a deeper tension between platform security and user autonomy. Secure Boot was designed to thwart low-level malware, but its certificate hierarchy enforces a de facto trust anchor controlled by Microsoft and a handful of OEMs. Tools like Ventoy, which empower users to run arbitrary code on their own hardware, must continuously adapt to these shifting trust boundaries. The 1.1.15 fix is a small but vital adjustment that preserves that freedom for another certificate cycle.
For Windows enthusiasts who maintain multi-boot environments—whether testing Windows 11 Insider builds, deploying Windows Server 2025 on bare metal, or keeping a Linux rescue partition nearby—Ventoy 1.1.15 is an essential update. It ensures that the USB stick in your bag will boot, no matter how the target machine’s UEFI is configured. And in a world where the only constant is change, that reliability is priceless.