Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue, published mitigation guidance after a public proof of concept, and later Patch Tuesday updates addressed it. Later reporting on the same CVE described GreatXML, which abuses the recovery-partition and WinRE flow to obtain unrestricted access to the BitLocker volume. That reporting also said systems that had used Windows Defender Offline Scan could be automatically affected.
Related Happenings
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Microsoft BitLocker recovery prompt workaround
Advisory/Mitigation
H score25
First: 09.06.2026 21:35
Last: 09.06.2026 21:35
Sources 1
About this happening:
Microsoft issued a **temporary workaround** for **BitLocker recovery prompts** on some **Windows** systems after recent updates. The issue affects devices configured with a **BitL...
Microsoft BitLocker recovery prompt workaround
Advisory/MitigationAbout this happening: Microsoft issued a **temporary workaround** for **BitLocker recovery prompts** on some **Windows** systems after recent updates. The issue affects devices configured with a **BitL...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
H score39
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
H score32
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
**Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Latest development: 10.06.2026 12:57
On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
H score7
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Timeline
-
11.06.2026 20:43 2 articles · 28d ago
Chaotic Eclipse releases GreatXML BitLocker bypass
Initial DisclosureSecurity researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.
Show sources
- New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files — thehackernews.com — 11.06.2026 20:43
- New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files — thehackernews.com — 11.06.2026 20:43
-
20.05.2026 11:28 2 articles · 1mo ago
Microsoft discloses YellowKey CVE-2026-45585 and releases mitigation
Initial DisclosureMicrosoft disclosed CVE-2026-45585, also referred to as YellowKey, as a BitLocker security feature bypass affecting Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation), and released mitigation guidance after a public proof of concept became available. The flaw carries a CVSS score of 6.8 and can let an attacker with physical access place crafted FsTx files on a USB drive or EFI partition, reboot into Windows Recovery Environment (WinRE), and spawn an unrestricted shell that bypasses BitLocker Device Encryption and exposes encrypted data. Microsoft and other guidance recommend removing autofstx.exe from Session Manager's BootExecute REG_MULTI_SZ value in the WinRE image, reestablishing BitLocker trust for WinRE, switching protected devices from TPM-only to TPM+PIN, and enabling Require additional authentication at startup for unencrypted devices through Microsoft Intune or Group Policies.
Show sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28