Red Hat, which maintains shim, takes a more sensible view. The Linux powerhouse gives CVE-2023-40547 an 8.3 score -- that's still bad, but not awful. Why so high a score since it's hard to pull off?