Follow 
BitLocker is designed to protect data at rest even when a device is lost, stolen, or powered off, which is why a bypass against that trust model draws immediate attention. The CVE-2026-45585 vulnerability, publicly referred to as YellowKey, is a Windows security feature bypass flaw that Microsoft says can let an attacker with physical access sidestep BitLocker protections and access encrypted data on affected systems. The issue is tracked with a CVSS score of 6.8 and impacts Windows 11 versions 24H2, 25H2, and 26H1 for x64-based systems, as well as Windows Server 2025, including Server Core.
For defenders starting CVE-2026-45585 analysis, the most important point is that the weakness is not in BitLocker’s encryption itself. Help Net Security, citing NCSC Netherlands, notes that the flaw sits in the recovery environment surrounding BitLocker rather than in the cryptography protecting the drive. Public reporting also says a researcher known as Nightmare Eclipse disclosed the zero-day and released a proof-of-concept, which both Help Net Security and The Hacker News say can be readily leveraged.
CVE-2026-45585 analysis
CVE-2026-45585 is exploited through the Windows Recovery Environment rather than through a remote attack path. According to The Hacker News, the attack involves placing specially crafted FsTx files on a USB drive or EFI partition, connecting the media to a target Windows system with BitLocker enabled, rebooting into WinRE, and triggering an unrestricted shell by holding down the CTRL key. If successful, the attacker gains access to the BitLocker-protected volume during the pre-boot recovery sequence.
In practical terms, the published CVE-2026-45585 is not a traditional malware dropper but a malicious recovery-sequence setup that abuses trusted pre-boot behavior. That is also why the public details for CVE-2026-45585 matter so much operationally: any affected machine with a reachable USB port or EFI path and a chance to be rebooted could become a target if an attacker can physically handle the device. The public CVE-2026-45585 PoC has already lowered the barrier to replication.
From a monitoring standpoint, CVE-2026-45585 detection is more challenging than for network-borne vulnerabilities because the exploit is local and pre-boot. There are no vendor-published CVE-2026-45585 IOCs in the cited reports, so the most realistic way to Detect CVE-2026-45585 exposure is through asset review: identify affected Windows 11 and Windows Server 2025 systems, determine whether they rely on TPM-only BitLocker protection, and verify whether Microsoft’s temporary mitigation has been applied to the WinRE image.
From an exposure perspective, CVE-2026-45585 affects organizations that depend on BitLocker to protect unattended laptops, mobile workstations, or portable servers from offline access after theft or temporary physical access. Since the flaw bypasses a security feature rather than breaking encryption itself, the main risk is loss of confidentiality when an attacker can reach the recovery workflow before the legitimate user regains control of the device.
CVE-2026-45585 Mitigation
Microsoft’s current CVE-2026-45585 mitigation guidance offers two main paths. The first is to modify the mounted WinRE image by removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, then save the offline registry changes, unmount and commit the updated image, and reestablish BitLocker trust for WinRE. The Hacker News says Microsoft later supplemented the advisory with a script that automates this workflow safely by mounting WinRE, editing the offline SYSTEM hive, removing the entry if present, and resealing WinRE so BitLocker trust remains intact.
The second mitigation path is to move devices away from TPM-only protection and require TPM+PIN at startup. Microsoft says this can be done on already encrypted systems through PowerShell, the command line, or Control Panel. For systems that are not yet encrypted, administrators are advised to enable Require additional authentication at startup through Group Policy or Intune and configure startup PIN with TPM. Help Net Security notes that researchers believe the first mitigation is effective because it prevents the FsTx Auto Recovery Utility from launching automatically when WinRE starts, although one researcher also claimed a separate bypass for TPM+PIN is being withheld for now.
FAQ
What is CVE-2026-45585 and how does it work?
CVE-2026-45585 is a BitLocker security feature bypass in Windows, also called YellowKey. It works by abusing trusted behavior in the Windows Recovery Environment so an attacker with physical access can trigger an unrestricted shell and access the encrypted volume during pre-boot recovery.
When was CVE-2026-45585 first discovered?
The two cited reports do not disclose a private discovery date. Publicly, Help Net Security says the zero-day was disclosed about a week before Microsoft’s mitigation, and both reports place Microsoft’s mitigation release on May 20, 2026, with an additional script update noted by Help Net Security on May 21, 2026.
What is the impact of CVE-2026-45585 on systems?
The main impact is unauthorized access to BitLocker-protected data. A successful attack can let someone with physical access bypass the protection surrounding the encrypted drive and read data that should remain protected at rest.
Can CVE-2026-45585 still affect me in 2026?
Yes. Systems running the affected Windows 11 and Windows Server 2025 builds can still be exposed in 2026 if they have not applied Microsoft’s mitigation and still rely on the vulnerable recovery behavior, especially where physical access cannot be tightly controlled.
How can I protect myself from CVE-2026-45585?
Apply Microsoft’s WinRE mitigation by removing autofstx.exe from the offline BootExecute setting and resealing BitLocker trust, or require TPM+PIN instead of TPM-only startup protection. For new deployments, enable additional authentication at startup through policy so BitLocker is not left relying on the weaker default path alone.
