Microsoft provides mitigation for “YellowKey” BitLocker bypass flaw (CVE-2026-45585)
Microsoft is working on a fix for CVE-2026-45585 (aka “Yellowkey”), a vulnerability that can be used by attackers to bypass protections offered by BitLocker, the full-disk encryption feature built into Windows, and access users’ data.
In the meantime, the company has provided step-by-step mitigation advice to protect affected Windows devices from exploitation.
CVE-2026-45585 and the YellowKey exploit
CVE-2026-45585 is a security feature bypass vulnerability that can only be exploited if the attacker has physical access to a vulnerable device. It affects various Windows 11 and Windows Server 2025 versions.
The existence of the vulnerability was disclosed as a zero-day a week ago by a security researcher that goes by Nightmare Eclipse, ostensibly out of frustration with Microsoft’s handling of bug reports. The proof-of-concept (PoC) exploit published by them can be easily leveraged.
BitLocker’s core promise is that stolen or unattended machines will keep users’ data safe even if the drive is removed or the machine is powered off, because the data is encrypted at rest and the keys are tied to the Trusted Platform Module (TPM), which also verifies that the boot process hasn’t been tampered with before releasing the key.
“The vulnerability is not in the encryption itself, but in the recovery environment that surrounds BitLocker,” NCSC Netherlands pointed out.
Vulnerability analyst Will Dormann confirmed that the PoC exploit works.
Mitigations available
Microsoft’s proffered mitigations involve either:
- Removing a vulnerable value (autofstx.exe) from the mounted Windows Recovery Environment (Windows RE) image hive and reestablishing BitLocker trust for WinRE, or
- Adding a PIN to the BitLocker protection
Dormann noted that the first option works because the FsTx Auto Recovery Utility (autofstx.exe) is prevented from automatically starting when the WinRE image launches.
The second, easier to implement option works as well, though Nightmare Eclipse previously stated they are holding back a PoC exploit that can bypass TPM+PIN protection.
They previously published PoC for several Microsoft zero-days, including:
- BlueHammer (a Windows local privilege escalation vulnerability),
- RedSun (another Windows privilege escalation flaw), and
- UnDefend (a vulnerability that can be exploited to block Microsoft Defender from receiving signature updates or disable it).
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!