Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
Summary
Hide ▲
Show ▼
YellowKey is a Windows BitLocker security feature bypass tracked as CVE-2026-45585 that affects the Windows Recovery Environment (WinRE) path and can expose BitLocker-protected drives on Windows 11 and Windows Server 2022/2025 systems. Microsoft has issued mitigation guidance after the proof of concept was made public, including removing autofstx.exe from the BootExecute registry value and moving already encrypted devices from TPM-only to TPM+PIN. The disclosed technique uses crafted FsTx files on a USB drive or EFI partition to reach a shell with unrestricted access to the protected storage volume.
Related Happenings
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft BitLocker recovery prompt workaround
Advisory/Mitigation
H score25
First: 09.06.2026 21:35
Last: 09.06.2026 21:35
Sources 1
About this happening:
Microsoft issued a **temporary workaround** for **BitLocker recovery prompts** on some **Windows** systems after recent updates. The issue affects devices configured with a **BitL...
Microsoft BitLocker recovery prompt workaround
Advisory/MitigationAbout this happening: Microsoft issued a **temporary workaround** for **BitLocker recovery prompts** on some **Windows** systems after recent updates. The issue affects devices configured with a **BitL...
Microsoft CVD response for Windows Defender and BitLocker
Advisory/Mitigation
H score47
First: 28.05.2026 16:53
Last: 28.05.2026 16:53
Sources 1
How related:
In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
About this happening:
**Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...
Microsoft CVD response for Windows Defender and BitLocker
Advisory/MitigationHow related: In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
About this happening: **Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...
Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
Vulnerability
H score9
First: 20.05.2026 11:28
Last: 20.05.2026 11:28
Sources 1
About this happening:
CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...
Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
VulnerabilityAbout this happening: CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...
Latest development: 11.06.2026 20:43
Security researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
H score32
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
How related:
"We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available."
About this happening:
**Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationHow related: "We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available."
About this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Latest development: 10.06.2026 12:57
On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.
Timeline
-
20.05.2026 10:31 3 articles · 1mo ago
Microsoft shares YellowKey mitigation guidance
Mitigation Patch UpdateMicrosoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Show sources
- Microsoft shares mitigation for YellowKey Windows zero-day — www.bleepingcomputer.com — 20.05.2026 10:31
- Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal — thehackernews.com — 28.05.2026 16:53
- Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days — www.bleepingcomputer.com — 10.06.2026 12:57
-
14.05.2026 10:27 1 articles · 1mo ago
Chaotic Eclipse publicly discloses YellowKey and GreenPlasma
Initial DisclosureChaotic Eclipse and Nightmare Eclipse publicly release proof-of-concept code for YellowKey, a Windows 11 BitLocker bypass that can expose the protected storage volume, and GreenPlasma, a separate Windows zero-day that can elevate privileges to System.
Show sources
- Researcher Drops YellowKey, GreenPlasma Windows Zero-Days — www.securityweek.com — 14.05.2026 10:27
-
14.05.2026 10:27 3 articles · 1mo ago
Researchers validate YellowKey on recent Windows 11 builds
Technical Analysis UpdateIndependent testers including Kevin Beaumont, KevTheHermit, Will Dormann, and JaGoTu confirm YellowKey works against recent Windows 11 builds, and TPM PIN-protected devices may also be affected depending on the WinRE implementation. The exploit path can begin with a USB drive or EFI partition and then use Windows Recovery Environment (WinRE) to reach a command prompt that exposes the protected volume.
Show sources
- Researcher Drops YellowKey, GreenPlasma Windows Zero-Days — www.securityweek.com — 14.05.2026 10:27
- Researcher Drops YellowKey, GreenPlasma Windows Zero-Days — www.securityweek.com — 14.05.2026 10:27
- Windows BitLocker zero-day gives access to protected drives, PoC released — www.bleepingcomputer.com — 13.05.2026 19:37