CVE-2026-45585 – Windows BitLocker Security Feature Bypass Vulnerability

CVSS 6.8 MODERATE Critical or Zero Day – Immediate Deployment

“When a security feature designed to protect data can be bypassed, stolen devices can become exposed devices. Strong encryption only works when its protections remain intact.”

Microsoft has published CVE-2026-45585, a Windows BitLocker Security Feature Bypass Vulnerability publicly referred to as YellowKey. Microsoft states that a proof-of-concept (PoC) for this vulnerability has been publicly disclosed before a security update became available. The company issued this CVE to provide mitigation guidance until security updates are installed. Systems using TPM+PIN are not vulnerable to exploitation according to Microsoft.

CVSS Score: 6.8

SEVERITY: MEDIUM

THREAT:

This vulnerability allows an attacker to bypass a Windows security feature designed to protect encrypted data. Successful exploitation could weaken BitLocker protections on vulnerable systems, particularly if a device is lost or stolen, potentially exposing sensitive information that organizations expect to remain encrypted.

EXPLOITS:

A public proof-of-concept (PoC) exploit exists. Microsoft specifically notes that the vulnerability became publicly known through the release of PoC code before coordinated disclosure was completed. The available data does not confirm active in-the-wild exploitation or a zero-day attack campaign.

TECHNICAL SUMMARY:

The vulnerability affects Microsoft BitLocker and is publicly known as YellowKey. Microsoft classifies it as a Security Feature Bypass vulnerability. The CVE record identifies the associated weakness as CWE-77: Improper Neutralization of Special Elements used in a Command (“Command Injection”). Microsoft has released mitigation guidance that can be implemented until the security update is applied. The advisory also confirms that devices configured to use TPM+PIN authentication are not exploitable by this vulnerability.

EXPLOITABILITY:

Affected products include:

Windows 11 Version 24H2 (x64) – versions 10.0.26100.0 through 10.0.26100.8654

Windows 11 Version 25H2 (x64) – versions 10.0.26200.0 through 10.0.26200.8654

Windows 11 Version 26H1 (x64) – versions 10.0.28000.0 through 10.0.28000.2268

Windows Server 2025 – versions 10.0.26100.0 through 10.0.26100.32994

Windows Server 2025 (Server Core installation) – versions 10.0.26100.0 through 10.0.26100.32994

Microsoft states that systems using TPM+PIN are not susceptible to exploitation.

BUSINESS IMPACT:

Organizations relying on BitLocker to protect sensitive information on laptops and other portable devices could face increased risk if vulnerable systems are lost or stolen. A successful security feature bypass may reduce confidence in device encryption protections and increase the potential for unauthorized access to sensitive business information.

WORKAROUND:

If the security update cannot be applied immediately, Microsoft recommends implementing its published temporary mitigations. These mitigations do not impact service availability or management operations, and they do not need to be removed after the security update is installed. Organizations using TPM+PIN are not affected by this vulnerability.

URGENCY:

Although the CVSS severity is MEDIUM, the vulnerability has a publicly available proof-of-concept, increasing the likelihood of attempted exploitation. Organizations with portable Windows devices protected by BitLocker should prioritize applying Microsoft’s mitigations and security updates to reduce the risk of unauthorized access to encrypted data.

SPEAKER NOTES:

YellowKey is a Windows BitLocker Security Feature Bypass vulnerability.

CVSS v3.1 Base Score is 6.8 with MEDIUM severity.

Public proof-of-concept exploit code is available.

TPM+PIN authentication protects against this specific vulnerability.

Apply Microsoft’s mitigation guidance and security update as soon as practical.

Key Details

Affected Product
Microsoft Windows 11 24h2
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-77
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.