Microsoft has acknowledged a security feature bypass vulnerability in Windows BitLocker, publicly known as “YellowKey” and tracked as CVE-2026-45585. The vulnerability affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A proof-of-concept has been publicly released, and Microsoft has published mitigation guidance while working on a permanent security update.
What Is the Vulnerability?
CVE-2026-45585 (YellowKey) is a security feature bypass in Windows BitLocker — the full-disk encryption technology built into Windows. The vulnerability is classified under CWE-77 (Command Injection) and allows an attacker to bypass BitLocker’s encryption protections under certain conditions. The PoC was publicly released “violating coordinated vulnerability best practices,” according to Microsoft, forcing the company to issue this CVE with interim mitigation guidance before the security update was ready.
BitLocker is the primary data-at-rest encryption solution for Windows enterprise environments. A bypass of BitLocker protections could allow an attacker with physical access to a device — a stolen laptop, a decommissioned hard drive, or an unattended workstation — to access encrypted data without the decryption key.
The vulnerability was extensively covered in the May 21 and May 22, 2026 Vulnerability Intelligence Reports, including the PowerShell mitigation script released by Microsoft.
- CVSS v3.1 Score: 6.8 (Medium)
- CWE: CWE-77 (Improper Neutralization of Special Elements used in a Command)
- Attack Vector: Physical access or local access
Which Versions Are Affected?
- Windows 11 24H2 (x64)
- Windows 11 25H2 (x64)
- Windows 11 26H1 (x64)
- Windows Server 2025
Is It Being Exploited in the Wild?
The PoC has been publicly released. While no mass exploitation has been confirmed at the time of writing, the public availability of the PoC means exploitation is possible by anyone with technical capability. The researcher’s decision to publish before a patch was available drew criticism from Microsoft, but the PoC is now in the public domain.
What Is the Fix?
No permanent security update has been released yet. Microsoft has published a PowerShell mitigation script that should be applied immediately. The script is available at the MSRC advisory page. Additionally: (1) enforce TPM+PIN for BitLocker authentication, which provides an additional authentication factor beyond the TPM alone; (2) apply the PowerShell mitigation script on all affected Windows 11 and Windows Server 2025 systems; (3) monitor for the permanent security update from Microsoft.
Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
Recommendations
Apply the PowerShell mitigation script immediately. All Windows 11 and Windows Server 2025 systems with BitLocker enabled should run the mitigation script.
Enforce TPM+PIN for BitLocker. This is the strongest defence against YellowKey and similar BitLocker bypass techniques. Deploy through Group Policy or Intune.
Monitor for the permanent update. Microsoft is working on a security update. Apply it immediately when released through Windows Update.
References
- Microsoft MSRC — CVE-2026-45585
- NVD: CVE-2026-45585
- Vulnerability Intelligence Report — May 21, 2026 (initial coverage)
This advisory was first covered in the May 21, 2026 and May 22, 2026 reports.
