Microsoft fixes YellowKey BitLocker bypass flaw (CVE-2026-45585)
▼ Summary
– Microsoft is developing a fix for CVE-2026-45585 (“Yellowkey”), a vulnerability that bypasses BitLocker encryption protections when an attacker has physical access to the device.
– The vulnerability exists in BitLocker’s recovery environment, not in the encryption itself, and affects Windows 11 and Windows Server 2025 versions.
– Security researcher Nightmare Eclipse disclosed the zero-day vulnerability and published a working proof-of-concept exploit.
– Microsoft’s mitigations include removing the autofstx.exe file from the Windows RE image or adding a PIN to BitLocker protection.
– The researcher who disclosed Yellowkey has previously published exploits for other Microsoft zero-days, including BlueHammer, RedSun, and UnDefend.
Microsoft is actively developing a patch for CVE-2026-45585, a vulnerability nicknamed YellowKey that allows attackers to sidestep protections offered by BitLocker, the built-in full-disk encryption tool in Windows. Until a permanent fix arrives, the company has issued step-by-step mitigation guidance to help users shield their devices from exploitation.
The YellowKey exploit targets a security feature bypass vulnerability that requires physical access to the affected machine. It impacts a range of Windows 11 and Windows Server 2025 editions. Security researcher Nightmare Eclipse disclosed the flaw as a zero-day roughly a week ago, reportedly frustrated with Microsoft’s response to earlier bug reports. The published proof-of-concept (PoC) exploit is straightforward to deploy.
BitLocker’s fundamental design ensures that stolen or unattended devices remain secure, even if the drive is removed or the system is powered down. Data is encrypted while at rest, and decryption keys are tied to the Trusted Platform Module (TPM), which also checks that the boot process hasn’t been altered before releasing the key. According to NCSC Netherlands, the weakness lies not in the encryption itself but in the recovery environment that supports BitLocker. Vulnerability analyst Will Dormann has verified that the PoC exploit functions as described.
To mitigate the risk, Microsoft recommends two main approaches. The first involves removing a vulnerable component, autofstx.exe, from the mounted Windows Recovery Environment (WinRE) image hive, then reestablishing BitLocker trust for WinRE. Dormann explained that this works because it prevents the FsTx Auto Recovery Utility from launching automatically when WinRE starts. The second, simpler option is to add a PIN to BitLocker protection. However, Nightmare Eclipse has indicated they are withholding a separate PoC capable of bypassing TPM+PIN protection.
The researcher has previously released PoCs for several Microsoft zero-days, including BlueHammer (a Windows local privilege escalation flaw), RedSun (another privilege escalation vulnerability), and UnDefend (an exploit that can block Microsoft Defender from receiving signature updates or disable it entirely).
(Source: Help Net Security)
