Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-45585 is a BitLocker security feature bypass affecting Windows 11 26H1/24H2/25H2 and Windows Server 2025, and Microsoft has already issued mitigations because a public proof of concept exists. The flaw can let a physical attacker sidestep BitLocker Device Encryption and reach encrypted data on impacted systems. The issue is tracked as YellowKey and carries a CVSS 6.8.
Related Happenings
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Notepad++ hit by network compromise
Incident
First: 03.02.2026 06:55
Last: 03.02.2026 06:55
Sources 1
About this happening:
The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Notepad++ hit by network compromise
IncidentAbout this happening: The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Latest development: 18.02.2026 09:40
Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.
Microsoft Windows October 2025 updates trigger BitLocker recovery startup issues
Service Disruption
First: 05.11.2025 10:56
Last: 05.11.2025 10:56
Sources 1
About this happening:
Microsoft's **October 2025 Windows security updates** are causing some **Intel devices** to enter **BitLocker recovery** during startup or restart, briefly blocking normal access....
Microsoft Windows October 2025 updates trigger BitLocker recovery startup issues
Service DisruptionAbout this happening: Microsoft's **October 2025 Windows security updates** are causing some **Intel devices** to enter **BitLocker recovery** during startup or restart, briefly blocking normal access....
Timeline
-
20.05.2026 11:28 2 articles · 7d ago
Microsoft discloses YellowKey CVE-2026-45585 and releases mitigation
Initial DisclosureMicrosoft disclosed CVE-2026-45585, also referred to as YellowKey, as a BitLocker security feature bypass affecting Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation), and released mitigation guidance after a public proof of concept became available. The flaw carries a CVSS score of 6.8 and can let an attacker with physical access place crafted FsTx files on a USB drive or EFI partition, reboot into Windows Recovery Environment (WinRE), and spawn an unrestricted shell that bypasses BitLocker Device Encryption and exposes encrypted data. Microsoft and other guidance recommend removing autofstx.exe from Session Manager's BootExecute REG_MULTI_SZ value in the WinRE image, reestablishing BitLocker trust for WinRE, switching protected devices from TPM-only to TPM+PIN, and enabling Require additional authentication at startup for unencrypted devices through Microsoft Intune or Group Policies.
Show sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28