Microsoft has disclosed CVE-2026-45585, a BitLocker security feature bypass nicknamed YellowKey that affects Windows 11, Windows Server 2022 and Windows Server 2025. The flaw resides in the Windows Recovery Environment, where a malicious autofstx.exe entry in the BootExecute registry value allows an attacker with physical access to circumvent BitLocker full-disk encryption without user credentials or recovery keys. A proof-of-concept exploit was published on May 19, 2026 by researcher Nightmare-Eclipse and has been independently confirmed to work, and Microsoft rates exploitation as more likely though no in-the-wild abuse has been reported. No official patch is available yet; Microsoft has issued manual mitigations involving removing the vulnerable entry from the mounted WinRE image and re-establishing BitLocker trust, or alternatively adding a TPM+PIN protector. Administrators of Windows 11 and Server 2022/2025 endpoints, especially mobile or easily-stolen devices, should apply the WinRE remediation and enforce TPM+PIN ahead of a formal fix.
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE(opens in a new tab)
- Microsoft provides mitigation for "YellowKey" BitLocker bypass f(opens in a new tab)
- Microsoft Releases Mitigation for Windows BitLocker Security Byp(opens in a new tab)
- CVE-2026-45585 Microsoft Releases Mitigation for YellowKey BitLo(opens in a new tab)
- Microsoft Rolls Out Mitigations for 'YellowKey' BitLocker Bypass(opens in a new tab)