Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
Microsoft on Tuesday released a BitLocker bypass vulnerability called YellowKey following its public disclosure last week.
The zero-day error, now followed by CVE-2026-45585it holds a CVSS score of 6.8. It is described as a bypass of BitLocker security feature.
“Microsoft is aware of the vulnerability of a security feature in Windows publicly known as ‘YellowKey,'” the tech giant said in an advisory. “The proof of concept for this vulnerability has been exposed, violating best practices for vulnerability.”
The issue affects Windows 11 version 26H1 for x64-based systems, Windows 11 version 24H2 for x64-based systems, Windows 11 version 25H2 for x64-based systems, Windows Server 2025, and Windows Server 2025 (Server Core installations).
YellowKey was discovered by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It basically allows putting specially designed ‘FsTx’ files on a USB drive or EFI partition, connecting the USB drive to a target Windows computer with BitLocker protection enabled, rebooting into the Windows Recovery Environment (WinRE), and launching a shell with unrestricted access by holding down the CTRL key.
“If you did everything correctly, the shell will reveal unrestricted access to the BitLocker protected volume,” the researcher said in a GitHub post.
Redmond noted that a successful exploit could allow an attacker with physical access to bypass BitLocker’s Device Encryption feature on the system’s storage device and gain access to encrypted data.
To address the risk, the following measures have been proposed:
- Install the WinRE image on each device.
- Install the system registry nest of the rolled WinRE image.
- Fix BootExecute by removing the value “autofstx.exe” from the BootExecuthe value of Session Manager REG_MULTI_SZ.
- Save and delete the Registry nest.
- Download and install the updated WinRE image.
- Restart the BitLocker trust for WinRE.
“Specifically, it prevents the FsTx Auto Recovery Utility, autofstx.exe, from starting automatically when the WinRE image is launched,” said security researcher Will Dormann. “With this change, Transactional NTFS replay that removes winpeshl.ini no longer occurs. It also recommends switching from TPM-only to TPM+PIN.”
Microsoft also emphasized that users can be protected from exploits by configuring BitLocker on devices that are already encrypted with “TPM-only” protection by switching to “TPM+PIN” mode via PowerShell, the command line, or the control panel. This would require a PIN to decrypt the drive initially, effectively supporting a YellowKey attack.
For unencrypted devices, administrators are advised to enable the “Require additional verification at startup” option through Microsoft Intune or Group Policies and ensure that “Configure TPM startup PIN” is set to “Require TPM startup PIN.”
