Windows BitLocker Zero-Day CVE-2026-45585: Fix YellowKey Now

On May 19, 2026, Microsoft issued an emergency security advisory for CVE-2026-45585, a critical security feature bypass vulnerability publicly dubbed “YellowKey.”

Carrying a CVSS 3.1 score of 6.8 (Medium) but possessing a real-world impact classified by Microsoft as “Important,” this zero-day exploit undermines the foundational security of BitLocker drive encryption on modern Windows platforms.

Discovered and abruptly released to the public by a security researcher operating under the alias “Nightmare-Eclipse,” YellowKey completely circumvents TPM-only BitLocker protections.

By leveraging an architectural design flaw within the Windows Recovery Environment (WinRE), an attacker with physical access to a machine can obtain an unrestricted, elevated command shell with the encrypted system volume fully unlocked and readable. No recovery keys, user credentials, or advanced hardware-level bus sniffing are required to execute the attack.

Windows BitLocker Zero-Day

At its core, YellowKey is classified as an Improper Neutralization of Special Elements used in a Command (CWE-77). However, the mechanics of its execution are remarkably elegant and devastatingly simple, bypassing modern endpoint security through native operating system behaviors.

The flaw resides specifically in how WinRE parses attached storage for NTFS transaction log data. Historically, the NTFS Transactional Logging (TxF) system was used to maintain file system consistency during system updates.

When WinRE boots, it proactively scans for a specific directory structure System Volume Information\FsTx and attempts to replay any pending transaction logs it finds to ensure volume integrity before attempting automated repairs.

The critical failure discovered by the researcher is that this replay mechanism lacks strict boundary validation. The replay can be forced to cross volume boundaries, allowing an attacker to manipulate files on a completely different volume than the one hosting the original logs.

By introducing a specially crafted FsTx folder via a standard USB flash drive or by removing the drive briefly to write directly to the device’s EFI System Partition, an attacker forces WinRE to rewrite parts of its own recovery image in the temporary RAM disk (the X: drive) during early boot.

Specifically, the exploit removes or corrupts winpeshl.ini, the configuration file that instructs WinRE to load the standard graphical recovery user interface.

Without this configuration file, WinRE defaults to its failsafe mode: spawning cmd.exe directly to the screen. Because this sequence occurs after the Trusted Platform Module (TPM) has already validated the boot chain and silently released the Volume Master Key (VMK) to the recovery environment, the resulting command shell has native, unrestricted access to the decrypted BitLocker volume. The attacker can then use diskpart to mount the drive and exfiltrate sensitive data at will.

Microsoft has confirmed that the vulnerability specifically affects Windows 11 (versions 24H2, 25H2, and 26H1) and Windows Server 2025 (including Server Core installations). Notably, the older Windows 10 architecture is completely unaffected by this specific attack path.

While the exploit explicitly requires physical access (Attack Vector: Physical) to the target machine, it represents a catastrophic failure for the primary threat model BitLocker is designed to address: device theft or loss.

Field laptops, shared corporate workstations, and kiosk systems configured in “TPM-only” mode, which boot straight to the Windows login screen without requiring a pre-boot PIN, are fully exposed.

The barrier to entry has collapsed from requiring sophisticated hardware to simply plugging in a USB stick, holding the Shift key to trigger a restart, and holding CTRL during the boot sequence.

This has massive implications for Zero Trust architectures. Many organizations rely on endpoint compliance checks that assume a lost laptop’s data is fundamentally safe if the device was marked as encrypted in Active Directory or Microsoft Intune.

This breach of trust means incident response teams must now treat any stolen TPM-only laptop as a confirmed, verifiable data breach, which can trigger costly regulatory reporting and compliance audits under frameworks such as GDPR or HIPAA.

The abrupt release of the YellowKey proof-of-concept violated coordinated vulnerability disclosure norms, leaving Microsoft scrambling to provide manual mitigations before a software patch could be finalized. However, it is the researcher’s accompanying commentary that has fueled intense industry debate across cybersecurity forums.

Nightmare-Eclipse publicly theorized that the vulnerable component was not a coding accident, but an intentional backdoor. The researcher pointed out that the specific executable responsible for parsing the FsTx logs (autofstx.exe) exists in both the standard Windows 11 installation and the WinRE image.

However, the exact functionality that enables cross-volume file manipulation and triggers the bypass is compiled and active only in the WinRE version.

While most cybersecurity experts attribute such discrepancies to the unique, high-privilege, repair-oriented design requirements of WinRE rather than deliberate corporate sabotage, the optics, combined with a highly functional, unpatched public exploit, have forced enterprise organizations into immediate defensive postures.

Mitigations

Until Microsoft releases a formal security update via Windows Update, organizations must apply immediate mitigations to protect data at rest. Security teams have two primary paths to neutralize YellowKey: turn off the vulnerable component in WinRE or enforce pre-boot authentication.

Method 1: Patching the WinRE Image

Administrators can manually mount the local WinRE image and strip the vulnerable executable from the boot sequence. This neutralizes the specific CVE-2026-45585 attack path without impacting the daily user experience.

1.Mount the WinRE image: Requires an elevated command prompt.

Create a local mount directory and extract the image:

mkdir C:\mount

reagentc /mountre /path C:\mount

2. Mount the WinRE registry hive:

Load the system registry hive from the newly mounted image:

reg load HKLM\WinREHive C:\mount\Windows\System32\config\SYSTEM

3. Modify the BootExecute sequence:

Navigate to HKLM\WinREHive\ControlSet001\Control\Session Manager.

Edit the BootExecute REG_MULTI_SZ value and completely remove the autofstx.exe entry from the string.

4. Unload the registry hive:

Save your changes safely by unloading the hive:

reg unload HKLM\WinREHive

5. Commit changes and reset BitLocker trust:

Commit the image back to the disk, then disable and re-enable the recovery environment to re-establish the TPM trust chain:

reagentc /unmountre /path C:\mount /commit

reagentc /disable

reagentc /enable

Method 2: Implementing a TPM+PIN Protector

The published exploit relies heavily on the TPM automatically releasing the decryption key during the boot sequence without user interaction. Mandating a pre-boot PIN halts the boot process before WinRE can even load, entirely mitigating the vulnerability.

For devices that are already encrypted, administrators can enforce this rapidly via PowerShell:

Open PowerShell as an Administrator.
Execute the command: Add-BitLockerKeyProtector C: -TpmAndPinProtector
Enter and confirm the new numerical PIN.

If local Group Policy prevents PIN creation, administrators must first navigate to gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Enable the Require additional authentication at startup policy, and set the TPM startup PIN dropdown to Require startup PIN with TPM.

For enterprise fleets managed by Microsoft Intune, administrators should update their BitLocker profiles under Configure TPM Settings to explicitly mandate pre-boot authentication across all roaming devices.